[jira] [Updated] (FLINK-29065) Flink v1.15.1 contains netty(version:3.10.6). There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx

Mon, 22 Aug 2022 09:08:03 -0700 


     [ 
https://issues.apache.org/jira/browse/FLINK-29065?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Hongbo updated FLINK-29065:
---------------------------
    Affects Version/s: 1.15.1

> Flink v1.15.1 contains netty(version:3.10.6). There are many vulnerabilities, 
> like CVE-2021-21409 etc. please confirm these version and fix. thx
> ------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: FLINK-29065
>                 URL: https://issues.apache.org/jira/browse/FLINK-29065
>             Project: Flink
>          Issue Type: Bug
>          Components: Runtime / Coordination
>    Affects Versions: 1.11.3, 1.12.2, 1.13.0, 1.15.1
>            Reporter: Hongbo
>            Priority: Not a Priority
>              Labels: auto-deprioritized-major, auto-deprioritized-minor
>
> Though FLINK-22441 states it's fixed, we can still see Netty 3.10.6 is used 
> in the latest version: 
> [https://github.com/apache/flink/blob/master/flink-rpc/flink-rpc-akka/pom.xml#L102]
>  and it show up in the security scan results:
>  
> |Netty Project|3.10.6.Final|BDSA-2018-4022|MEDIUM|4.7|
> |Netty Project|3.10.6.Final|BDSA-2019-2642|MEDIUM|6.5|
> |Netty Project|3.10.6.Final|BDSA-2019-2643|MEDIUM|6.7|
> |Netty Project|3.10.6.Final|BDSA-2019-2649|MEDIUM|6.5|
> |Netty Project|3.10.6.Final|BDSA-2019-2610|HIGH|7.2|
> |Netty Project|3.10.6.Final|CVE-2019-16869 (BDSA-2019-3119)|HIGH|7.5|
> |Netty Project|3.10.6.Final|BDSA-2020-0130|HIGH|8.8|
> |Netty Project|3.10.6.Final|CVE-2019-20444 (BDSA-2019-4231)|CRITICAL|9.1|
> |Netty Project|3.10.6.Final|CVE-2019-20445 (BDSA-2019-4230)|CRITICAL|9.1|
> |Netty Project|3.10.6.Final|BDSA-2020-0666|MEDIUM|6.5|
> |Netty Project|3.10.6.Final|CVE-2021-21290 (BDSA-2021-0311)|MEDIUM|5.5|
> |Netty Project|3.10.6.Final|CVE-2021-21295 (BDSA-2021-0589)|MEDIUM|5.9|
> |Netty Project|3.10.6.Final|CVE-2021-21409 (BDSA-2021-0828)|MEDIUM|5.9|
> |Netty Project|3.10.6.Final|CVE-2021-37136|HIGH|7.5|
> |Netty Project|3.10.6.Final|CVE-2021-37137|HIGH|7.5|
> |Netty Project|3.10.6.Final|CVE-2021-43797 (BDSA-2021-3741)|MEDIUM|6.5|
> |Netty Project|3.10.6.Final|CVE-2022-24823|MEDIUM|5.5|



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to