[
https://issues.apache.org/jira/browse/FLINK-39713?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated FLINK-39713:
-----------------------------------
Labels: pull-request-available (was: )
> flink-kubernetes-operator: Bump log4j, jackson, and Beam to retire CVEs
> -----------------------------------------------------------------------
>
> Key: FLINK-39713
> URL: https://issues.apache.org/jira/browse/FLINK-39713
> Project: Flink
> Issue Type: Technical Debt
> Components: Kubernetes Operator
> Reporter: Purushottam Sinha
> Priority: Major
> Labels: pull-request-available
>
> Problem
> Direct dependencies log4j, jackson-bom, and Beam (in the Flink Beam example)
> ship versions flagged by Trivy across operator and example modules. Bumping
> each to its latest stable within the same major retires ~50 of the report's
> findings without any transitive overrides.
> Evidence
> - pom.xml:90 log4j.version 2.23.1 — CVE-2025-68161, CVE-2026-34477,
> CVE-2026-34478, CVE-2026-34479, CVE-2026-34480
> - pom.xml:128 jackson-bom 2.15.0 — GHSA-72hv-8253-57qq
> - examples/flink-beam-example/pom.xml:36 beam.version 2.62.0 — 37
> example-only findings (kaml, okio, wire-runtime, kafka-clients,
> opentelemetry-api, parallel Netty)
> Proposed fix
> - pom.xml:90: log4j.version 2.23.1 → 2.25.4
> - pom.xml:128: jackson-bom 2.15.0 → 2.18.6
> - examples/flink-beam-example/pom.xml:36: beam.version 2.62.0 → 2.73.0
> Acceptance
> - ./mvnw verify passes
> - trivy fs --scanners vuln . shows the listed CVEs cleared
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
