[
https://issues.apache.org/jira/browse/FLINK-33149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17768867#comment-17768867
]
Matthias Pohl commented on FLINK-33149:
---------------------------------------
Thanks for looking into it. I did a code investigation to see where we use
snappy in flink core.
Snappy was introduced for the state backend and used in
[SnappyStreamCompressionDecorator.java:25-26|https://github.com/apache/flink/blob/116f297478f2d443178510565b1cd5a2f387e241/flink-runtime/src/main/java/org/apache/flink/runtime/state/SnappyStreamCompressionDecorator.java#L25].
The classes that are affected by this vulnerability ({{SnappyInputStream}} and
{{SnappyOutputStream}}) are not used. Flink uses {{SnappyFramedInputStream}}
and {{SnappyFramedOutputStream}}. Therefore, it's not critical and priority
Major makes sense. But it's still good to have this fixed considering the
alerts that might pop up in security scanners.
I also did a brief analysis of a few connector implementations:
{code}
➜ workspace for c in $(ls -d flink-connector*); do echo $c; grep
--include=pom.xml -Hirn snappy $c; done
flink-connector-aws
flink-connector-aws/pom.xml:254:
<groupId>org.xerial.snappy</groupId>
flink-connector-aws/pom.xml:255:
<artifactId>snappy-java</artifactId>
flink-connector-cassandra
flink-connector-elasticsearch
flink-connector-gcp-pubsub
flink-connector-hbase
flink-connector-hbase/pom.xml:245:
<groupId>org.xerial.snappy</groupId>
flink-connector-hbase/pom.xml:246:
<artifactId>snappy-java</artifactId>
flink-connector-hive
flink-connector-jdbc
flink-connector-kafka
flink-connector-kafka/pom.xml:70:
<snappy-java.version>1.1.8.3</snappy-java.version>
flink-connector-kafka/pom.xml:231:
<groupId>org.xerial.snappy</groupId>
flink-connector-kafka/pom.xml:232:
<artifactId>snappy-java</artifactId>
flink-connector-kafka/pom.xml:233:
<version>${snappy-java.version}</version>
flink-connector-mongodb
flink-connector-opensearch
flink-connector-pulsar
flink-connector-rabbitmq
flink-connector-redis-streams
{code}
Only {{flink-connector-kafka}} and {{flink-connector-aws}} have this dependency
listed. None of them actually uses any classes from within the {{xerial}}
package:
{code}
for c in $(ls -d flink-connector*); do echo $c; grep --include="*java" -Hirn
xerial $c; done
flink-connector-aws
flink-connector-cassandra
flink-connector-elasticsearch
flink-connector-gcp-pubsub
flink-connector-hbase
flink-connector-hive
flink-connector-jdbc
flink-connector-kafka
flink-connector-mongodb
flink-connector-opensearch
flink-connector-pulsar
flink-connector-rabbitmq
flink-connector-redis-streams
{code}
Would it be worth removing the dependency from the connectors entirely? WDYT?
> Bump snappy-java to 1.1.10.4
> ----------------------------
>
> Key: FLINK-33149
> URL: https://issues.apache.org/jira/browse/FLINK-33149
> Project: Flink
> Issue Type: Bug
> Components: API / Core, Connectors / AWS, Connectors / HBase,
> Connectors / Kafka, Stateful Functions
> Affects Versions: 1.18.0, 1.16.3, 1.17.2
> Reporter: Ryan Skraba
> Assignee: Ryan Skraba
> Priority: Major
> Labels: pull-request-available
>
> Xerial published a security alert for a Denial of Service attack that [exists
> on
> 1.1.10.1|https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv].
> This is included in flink-dist, but also in flink-statefun, and several
> connectors.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
