[ https://issues.apache.org/jira/browse/FLINK-33149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17768867#comment-17768867 ]
Matthias Pohl commented on FLINK-33149: --------------------------------------- Thanks for looking into it. I did a code investigation to see where we use snappy in flink core. Snappy was introduced for the state backend and used in [SnappyStreamCompressionDecorator.java:25-26|https://github.com/apache/flink/blob/116f297478f2d443178510565b1cd5a2f387e241/flink-runtime/src/main/java/org/apache/flink/runtime/state/SnappyStreamCompressionDecorator.java#L25]. The classes that are affected by this vulnerability ({{SnappyInputStream}} and {{SnappyOutputStream}}) are not used. Flink uses {{SnappyFramedInputStream}} and {{SnappyFramedOutputStream}}. Therefore, it's not critical and priority Major makes sense. But it's still good to have this fixed considering the alerts that might pop up in security scanners. I also did a brief analysis of a few connector implementations: {code} ➜ workspace for c in $(ls -d flink-connector*); do echo $c; grep --include=pom.xml -Hirn snappy $c; done flink-connector-aws flink-connector-aws/pom.xml:254: <groupId>org.xerial.snappy</groupId> flink-connector-aws/pom.xml:255: <artifactId>snappy-java</artifactId> flink-connector-cassandra flink-connector-elasticsearch flink-connector-gcp-pubsub flink-connector-hbase flink-connector-hbase/pom.xml:245: <groupId>org.xerial.snappy</groupId> flink-connector-hbase/pom.xml:246: <artifactId>snappy-java</artifactId> flink-connector-hive flink-connector-jdbc flink-connector-kafka flink-connector-kafka/pom.xml:70: <snappy-java.version>1.1.8.3</snappy-java.version> flink-connector-kafka/pom.xml:231: <groupId>org.xerial.snappy</groupId> flink-connector-kafka/pom.xml:232: <artifactId>snappy-java</artifactId> flink-connector-kafka/pom.xml:233: <version>${snappy-java.version}</version> flink-connector-mongodb flink-connector-opensearch flink-connector-pulsar flink-connector-rabbitmq flink-connector-redis-streams {code} Only {{flink-connector-kafka}} and {{flink-connector-aws}} have this dependency listed. None of them actually uses any classes from within the {{xerial}} package: {code} for c in $(ls -d flink-connector*); do echo $c; grep --include="*java" -Hirn xerial $c; done flink-connector-aws flink-connector-cassandra flink-connector-elasticsearch flink-connector-gcp-pubsub flink-connector-hbase flink-connector-hive flink-connector-jdbc flink-connector-kafka flink-connector-mongodb flink-connector-opensearch flink-connector-pulsar flink-connector-rabbitmq flink-connector-redis-streams {code} Would it be worth removing the dependency from the connectors entirely? WDYT? > Bump snappy-java to 1.1.10.4 > ---------------------------- > > Key: FLINK-33149 > URL: https://issues.apache.org/jira/browse/FLINK-33149 > Project: Flink > Issue Type: Bug > Components: API / Core, Connectors / AWS, Connectors / HBase, > Connectors / Kafka, Stateful Functions > Affects Versions: 1.18.0, 1.16.3, 1.17.2 > Reporter: Ryan Skraba > Assignee: Ryan Skraba > Priority: Major > Labels: pull-request-available > > Xerial published a security alert for a Denial of Service attack that [exists > on > 1.1.10.1|https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv]. > This is included in flink-dist, but also in flink-statefun, and several > connectors. -- This message was sent by Atlassian Jira (v8.20.10#820010)