[
https://issues.apache.org/jira/browse/FLINK-39713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18082821#comment-18082821
]
Purushottam Sinha commented on FLINK-39713:
-------------------------------------------
|| CVE || Affected || Fix || CVSS v3.1 || Severity || Description ||
| [CVE-2025-68161|https://nvd.nist.gov/vuln/detail/CVE-2025-68161] |
log4j-core 2.0-beta9 → 2.25.2 | 2.25.3 | 4.8 | MEDIUM | Socket Appender doesn't
validate TLS hostnames; MITM on log traffic |
| [CVE-2026-34477|https://nvd.nist.gov/vuln/detail/CVE-2026-34477] |
log4j-core 2.12.0 → 2.25.3 | 2.25.4 | 5.9 | MEDIUM | {{verifyHostName}}
silently ignored for SMTP/Socket/Syslog TLS connections |
| [CVE-2026-34478|https://nvd.nist.gov/vuln/detail/CVE-2026-34478] |
log4j-core 2.21.0 → 2.25.3 | 2.25.4 | 7.5 | *HIGH* | CRLF log injection via
{{Rfc5424Layout}} after undocumented attribute renames |
| [CVE-2026-34479|https://nvd.nist.gov/vuln/detail/CVE-2026-34479] |
log4j-1.2-api bridge 2.7 → 2.25.3 | 2.25.4 | 7.5 | *HIGH* | {{Log4j1XmlLayout}}
doesn't escape XML 1.0-forbidden chars; downstream-log DoS
|
| [CVE-2026-34480|https://nvd.nist.gov/vuln/detail/CVE-2026-34480] |
log4j-core ({{XmlLayout}}) ≤ 2.25.3 | 2.25.4 | 7.5 | *HIGH* | {{XmlLayout}}
doesn't sanitize XML 1.0-forbidden chars; downstream-log DoS |
| [GHSA-72hv-8253-57qq|https://github.com/advisories/GHSA-72hv-8253-57qq] |
jackson-core 2.0.0–2.18.5, 2.19.0–2.21.0 | 2.18.6 / 2.21.1 | 6.9 (CVSS v4) |
MODERATE | Async parser bypasses {{maxNumberLength}};
memory/CPU exhaustion via long numbers |
*Note:* NVD scores three of the five log4j CVEs as HIGH (7.5) —
CVE-2026-34478, CVE-2026-34479, CVE-2026-34480. Trivy classified them as
MEDIUM; we're following NVD here.
> flink-kubernetes-operator: Bump log4j, jackson, and Beam to retire CVEs
> -----------------------------------------------------------------------
>
> Key: FLINK-39713
> URL: https://issues.apache.org/jira/browse/FLINK-39713
> Project: Flink
> Issue Type: Technical Debt
> Components: Kubernetes Operator
> Reporter: Purushottam Sinha
> Priority: Minor
> Labels: pull-request-available
>
> Problem
> Direct dependencies log4j, jackson-bom, and Beam (in the Flink Beam example)
> ship versions flagged by Trivy across operator and example modules. Bumping
> each to its latest stable within the same major retires ~50 of the report's
> findings without any transitive overrides.
> Evidence
> - pom.xml:90 log4j.version 2.23.1 — CVE-2025-68161, CVE-2026-34477,
> CVE-2026-34478, CVE-2026-34479, CVE-2026-34480
> - pom.xml:128 jackson-bom 2.15.0 — GHSA-72hv-8253-57qq
> - examples/flink-beam-example/pom.xml:36 beam.version 2.62.0 — 37
> example-only findings (kaml, okio, wire-runtime, kafka-clients,
> opentelemetry-api, parallel Netty)
> Proposed fix
> - pom.xml:90: log4j.version 2.23.1 → 2.25.4
> - pom.xml:128: jackson-bom 2.15.0 → 2.21.3
> - examples/flink-beam-example/pom.xml:36: beam.version 2.62.0 → 2.73.0
> Acceptance
> - ./mvnw verify passes
> - trivy fs --scanners vuln . shows the listed CVEs cleared
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
