[jira] [Commented] (FLINK-39713) flink-kubernetes-operator: Bump log4j, jackson, and Beam to retire CVEs

Fri, 22 May 2026 02:34:04 -0700 


    [ 
https://issues.apache.org/jira/browse/FLINK-39713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18082823#comment-18082823
 ] 

Purushottam Sinha commented on FLINK-39713:
-------------------------------------------

  || CVE || Package (current → fix) || Severity || Description ||
  | [CVE-2023-28118|https://nvd.nist.gov/vuln/detail/CVE-2023-28118] | kaml 
0.20.0 → 0.53.0 | HIGH | DoS while parsing YAML with anchors and aliases |
  | [CVE-2021-39194|https://nvd.nist.gov/vuln/detail/CVE-2021-39194] | kaml 
0.20.0 → 0.35.3 | MEDIUM | Improper handling of missing values |
  | [CVE-2025-55163|https://nvd.nist.gov/vuln/detail/CVE-2025-55163] | 
grpc-netty-shaded 1.67.1 → 1.75.0 | HIGH | HTTP/2 "MadeYouReset" DDoS |
  | [CVE-2026-33870|https://nvd.nist.gov/vuln/detail/CVE-2026-33870] | 
netty-codec-http 4.1.110 → 4.1.132 | HIGH | Request smuggling via 
chunked-encoding extension values |
  | [CVE-2026-42584|https://nvd.nist.gov/vuln/detail/CVE-2026-42584] | 
netty-codec-http 4.1.110 → 4.1.133 | HIGH | Netty codec-http advisory |
  | [CVE-2026-42587|https://nvd.nist.gov/vuln/detail/CVE-2026-42587] | 
netty-codec-http(2) 4.1.110 → 4.1.133 | HIGH | Netty codec-http(2) advisory |
  | [CVE-2026-42583|https://nvd.nist.gov/vuln/detail/CVE-2026-42583] | 
netty-codec 4.1.110 → 4.1.133 | HIGH | Netty codec advisory |
  | [CVE-2025-55163|https://nvd.nist.gov/vuln/detail/CVE-2025-55163] | 
netty-codec-http2 4.1.110 → 4.1.124 | HIGH | HTTP/2 "MadeYouReset" DDoS |
  | [CVE-2026-33871|https://nvd.nist.gov/vuln/detail/CVE-2026-33871] | 
netty-codec-http2 4.1.110 → 4.1.132 | HIGH | HTTP/2 CONTINUATION frame flood 
DoS |
  | [CVE-2025-24970|https://nvd.nist.gov/vuln/detail/CVE-2025-24970] | 
netty-handler 4.1.110 → 4.1.118 | HIGH | SslHandler native crash on malformed 
packets |
  | [CVE-2025-58056|https://nvd.nist.gov/vuln/detail/CVE-2025-58056] | 
netty-codec-http 4.1.110 → 4.1.125 | LOW | Request smuggling via chunk 
extensions |
  | [CVE-2026-42578|https://nvd.nist.gov/vuln/detail/CVE-2026-42578] | 
netty-handler-proxy 4.1.110 → 4.1.133 | LOW | Netty handler-proxy advisory |
  | [CVE-2025-58057|https://nvd.nist.gov/vuln/detail/CVE-2025-58057] | 
netty-codec 4.1.110 → 4.1.125 | MEDIUM | BrotliDecoder zip-bomb DoS |
  | [CVE-2025-67735|https://nvd.nist.gov/vuln/detail/CVE-2025-67735] | 
netty-codec-http 4.1.110 → 4.1.129 | MEDIUM | Request smuggling via CRLF 
injection |
  | [CVE-2026-41417|https://nvd.nist.gov/vuln/detail/CVE-2026-41417] | 
netty-codec-http 4.1.110 → 4.1.133 | MEDIUM | Request smuggling via URI 
manipulation and CRLF injection |
  | [CVE-2026-42580|https://nvd.nist.gov/vuln/detail/CVE-2026-42580] | 
netty-codec-http 4.1.110 → 4.1.133 | MEDIUM | Netty codec-http advisory |
  | [CVE-2026-42581|https://nvd.nist.gov/vuln/detail/CVE-2026-42581] | 
netty-codec-http 4.1.110 → 4.1.133 | MEDIUM | Netty codec-http advisory |
  | [CVE-2026-42585|https://nvd.nist.gov/vuln/detail/CVE-2026-42585] | 
netty-codec-http 4.1.110 → 4.1.133 | MEDIUM | Netty codec-http advisory |
  | [CVE-2024-47535|https://nvd.nist.gov/vuln/detail/CVE-2024-47535] | 
netty-common 4.1.110 → 4.1.115 | MEDIUM | DoS on Windows app using Netty |
  | [CVE-2025-25193|https://nvd.nist.gov/vuln/detail/CVE-2025-25193] | 
netty-common 4.1.110 → 4.1.118 | MEDIUM | DoS on Windows app using Netty |
  | [CVE-2025-12183|https://nvd.nist.gov/vuln/detail/CVE-2025-12183] | lz4-java 
1.6.0 → 1.8.1 | HIGH | Out-of-bounds memory ops; info disclosure |
  | [CVE-2025-66566|https://nvd.nist.gov/vuln/detail/CVE-2025-66566] | lz4-java 
1.6.0 → (no fix) | HIGH | Info disclosure via insufficient output buffer 
clearing |
  | [CVE-2023-3635|https://nvd.nist.gov/vuln/detail/CVE-2023-3635] | okio 3.0.0 
→ 3.4.0 | MEDIUM | GzipSource improper exception handling |
  | [CVE-2024-58103|https://nvd.nist.gov/vuln/detail/CVE-2024-58103] | 
wire-runtime 4.8.0 → 5.2.0 | MEDIUM | Uncontrolled recursion on nested groups |
  | [CVE-2026-45292|https://nvd.nist.gov/vuln/detail/CVE-2026-45292] | 
opentelemetry-api 1.42.1 → 1.62.0 | MEDIUM | Unbounded memory allocation in W3C 
baggage propagation |
  | [CVE-2025-48924|https://nvd.nist.gov/vuln/detail/CVE-2025-48924] | 
commons-lang3 3.14.0 → 3.18.0 | MEDIUM | Uncontrolled recursion |
  | [CVE-2021-38153|https://nvd.nist.gov/vuln/detail/CVE-2021-38153] | 
kafka-clients 2.4.1 → 2.6.3 | MEDIUM | Timing attack vulnerability |
  | [CVE-2024-31141|https://nvd.nist.gov/vuln/detail/CVE-2024-31141] | 
kafka-clients 2.4.1 → 3.7.1 | MEDIUM | Privilege escalation via automatic 
ConfigProvider |
  | [CVE-2026-33558|https://nvd.nist.gov/vuln/detail/CVE-2026-33558] | 
kafka-clients 2.4.1 → 3.9.2 | MEDIUM | Sensitive info exposure in DEBUG logs |
  | [CVE-2025-41249|https://nvd.nist.gov/vuln/detail/CVE-2025-41249] | 
spring-core 5.3.27 → 6.2.11 | HIGH | Annotation Detection vulnerability |
  | [CVE-2024-38808|https://nvd.nist.gov/vuln/detail/CVE-2024-38808] | 
spring-expression 5.3.27 → 5.3.39 | MEDIUM | DoS via crafted SpEL expression |

  *Likely cleared by Beam 2.73.0:* kaml, grpc-netty-shaded, okio, wire-runtime, 
opentelemetry-api, commons-lang3, kafka-clients, and most Netty findings 
(Beam's bundled Netty advances several minors between
  2.62 and 2.73). The jackson-core advisory that also flows through this chain 
is handled by the {{jackson-bom 2.21.3}} bump in the same PR.

  *Possibly still open after the Beam bump:*
  * {{spring-core}} CVE-2025-41249 — fix only on Spring 6.2.11; Beam 2.x is 
still on Spring 5.x.
  * {{spring-expression}} CVE-2024-38808 — needs Spring 5.3.39; depends on 
Beam's Spring patch level.
  * The latest Netty CVEs requiring 4.1.133 — depends on the exact Netty 
version Beam 2.73 pulls.
  * {{lz4-java}} CVE-2025-66566 — no upstream fix yet.


> flink-kubernetes-operator: Bump log4j, jackson, and Beam to retire CVEs
> -----------------------------------------------------------------------
>
>                 Key: FLINK-39713
>                 URL: https://issues.apache.org/jira/browse/FLINK-39713
>             Project: Flink
>          Issue Type: Technical Debt
>          Components: Kubernetes Operator
>            Reporter: Purushottam Sinha
>            Priority: Minor
>              Labels: pull-request-available
>
> Problem
> Direct dependencies log4j, jackson-bom, and Beam (in the Flink Beam example) 
> ship versions flagged by Trivy across operator and example modules. Bumping 
> each to its latest stable within the same major retires ~50 of the report's 
> findings without any transitive overrides.
> Evidence
>   - pom.xml:90 log4j.version 2.23.1 — CVE-2025-68161, CVE-2026-34477, 
> CVE-2026-34478, CVE-2026-34479, CVE-2026-34480
>   - pom.xml:128 jackson-bom 2.15.0 — GHSA-72hv-8253-57qq
>   - examples/flink-beam-example/pom.xml:36 beam.version 2.62.0 — 37 
> example-only findings (kaml, okio, wire-runtime, kafka-clients, 
> opentelemetry-api, parallel Netty)
> Proposed fix
>   - pom.xml:90: log4j.version 2.23.1 → 2.25.4
>   - pom.xml:128: jackson-bom 2.15.0 → 2.21.3
>   - examples/flink-beam-example/pom.xml:36: beam.version 2.62.0 → 2.73.0
> Acceptance
>   - ./mvnw verify passes
>   - trivy fs --scanners vuln . shows the listed CVEs cleared



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to