[jira] [Updated] (FLINK-29065) Flink v1.15.1 contains netty(version:3.10.6). There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx

Mon, 22 Aug 2022 09:06:08 -0700 


     [ 
https://issues.apache.org/jira/browse/FLINK-29065?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Hongbo updated FLINK-29065:
---------------------------
    Description: 
Though How is it fixed in Flink 1.14? We can still see Netty 3.10.6 is used in 
the latest version: 
[https://github.com/apache/flink/blob/master/flink-rpc/flink-rpc-akka/pom.xml#L102]
 and it show up in the scan results:

 
|etty Project|3.10.6.Final|BDSA-2018-4022|MEDIUM|4.7|
|Netty Project|3.10.6.Final|BDSA-2019-2642|MEDIUM|6.5|
|Netty Project|3.10.6.Final|BDSA-2019-2643|MEDIUM|6.7|
|Netty Project|3.10.6.Final|BDSA-2019-2649|MEDIUM|6.5|
|Netty Project|3.10.6.Final|BDSA-2019-2610|HIGH|7.2|
|Netty Project|3.10.6.Final|CVE-2019-16869 (BDSA-2019-3119)|HIGH|7.5|
|Netty Project|3.10.6.Final|BDSA-2020-0130|HIGH|8.8|
|Netty Project|3.10.6.Final|CVE-2019-20444 (BDSA-2019-4231)|CRITICAL|9.1|
|Netty Project|3.10.6.Final|CVE-2019-20445 (BDSA-2019-4230)|CRITICAL|9.1|
|Netty Project|3.10.6.Final|BDSA-2020-0666|MEDIUM|6.5|
|Netty Project|3.10.6.Final|CVE-2021-21290 (BDSA-2021-0311)|MEDIUM|5.5|
|Netty Project|3.10.6.Final|CVE-2021-21295 (BDSA-2021-0589)|MEDIUM|5.9|
|Netty Project|3.10.6.Final|CVE-2021-21409 (BDSA-2021-0828)|MEDIUM|5.9|
|Netty Project|3.10.6.Final|CVE-2021-37136|HIGH|7.5|
|Netty Project|3.10.6.Final|CVE-2021-37137|HIGH|7.5|
|Netty Project|3.10.6.Final|CVE-2021-43797 (BDSA-2021-3741)|MEDIUM|6.5|
|Netty Project|3.10.6.Final|CVE-2022-24823|MEDIUM|5.5|

  was:In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . 
There are many vulnerabilities, like CVE-2021-21409 CVE-2021-21295 etc. please 
confirm these version and fix. thx


> Flink v1.15.1 contains netty(version:3.10.6). There are many vulnerabilities, 
> like CVE-2021-21409 etc. please confirm these version and fix. thx
> ------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: FLINK-29065
>                 URL: https://issues.apache.org/jira/browse/FLINK-29065
>             Project: Flink
>          Issue Type: Bug
>          Components: Runtime / Coordination
>    Affects Versions: 1.11.3, 1.12.2, 1.13.0
>            Reporter: Hongbo
>            Priority: Not a Priority
>              Labels: auto-deprioritized-major, auto-deprioritized-minor
>
> Though How is it fixed in Flink 1.14? We can still see Netty 3.10.6 is used 
> in the latest version: 
> [https://github.com/apache/flink/blob/master/flink-rpc/flink-rpc-akka/pom.xml#L102]
>  and it show up in the scan results:
>  
> |etty Project|3.10.6.Final|BDSA-2018-4022|MEDIUM|4.7|
> |Netty Project|3.10.6.Final|BDSA-2019-2642|MEDIUM|6.5|
> |Netty Project|3.10.6.Final|BDSA-2019-2643|MEDIUM|6.7|
> |Netty Project|3.10.6.Final|BDSA-2019-2649|MEDIUM|6.5|
> |Netty Project|3.10.6.Final|BDSA-2019-2610|HIGH|7.2|
> |Netty Project|3.10.6.Final|CVE-2019-16869 (BDSA-2019-3119)|HIGH|7.5|
> |Netty Project|3.10.6.Final|BDSA-2020-0130|HIGH|8.8|
> |Netty Project|3.10.6.Final|CVE-2019-20444 (BDSA-2019-4231)|CRITICAL|9.1|
> |Netty Project|3.10.6.Final|CVE-2019-20445 (BDSA-2019-4230)|CRITICAL|9.1|
> |Netty Project|3.10.6.Final|BDSA-2020-0666|MEDIUM|6.5|
> |Netty Project|3.10.6.Final|CVE-2021-21290 (BDSA-2021-0311)|MEDIUM|5.5|
> |Netty Project|3.10.6.Final|CVE-2021-21295 (BDSA-2021-0589)|MEDIUM|5.9|
> |Netty Project|3.10.6.Final|CVE-2021-21409 (BDSA-2021-0828)|MEDIUM|5.9|
> |Netty Project|3.10.6.Final|CVE-2021-37136|HIGH|7.5|
> |Netty Project|3.10.6.Final|CVE-2021-37137|HIGH|7.5|
> |Netty Project|3.10.6.Final|CVE-2021-43797 (BDSA-2021-3741)|MEDIUM|6.5|
> |Netty Project|3.10.6.Final|CVE-2022-24823|MEDIUM|5.5|



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to