Hey Vidya Sagar,
*- Is the code actually using this compression library? Can this
vulnerability issue be ignored?*
I glanced at the LZ4 in Flink. IIUC, LZ4 is used to compress blocks in
batch table which was introduced by FLINK-11858[1], FLINK-23447[2] bumped
it to 1.8. So, LZ4 is actually used
Hi Vidya,
Please keep in mind that the Flink project is driven by volunteers. If
you're noticing an outdated version for the lz4 compression library and an
update is required, it would be great if you can open the PR to update that
dependency yourself.
Best regards,
Martijn
On Thu, Dec 8, 2022
Thank you Yanfei for taking this issue as a bug and planning a fix in the
upcoming version.
I have another vulnerability bug coming on our product. It is related to
the "LZ4" compression library version. Can you please take a look at this
link?
https://nvd.nist.gov/vuln/detail/CVE-2019-17543
I
Hi Vidya Sagar,
Thanks for bringing this up.
The RocksDB state backend defaults to Snappy[1]. If the compression option
is not specifically configured, this vulnerability of ZLIB has no effect on
the Flink application for the time being.
*> is there any plan in the coming days to address this?
Hi,
There is a ZLIB vulnerability reported by the official National
Vulnerability Database. This vulnerability causes memory corruption while
deflating with ZLIB version less than 1.2.12.
Here is the link for details...
https://nvd.nist.gov/vuln/detail/cve-2018-25032#vulnCurrentDescriptionTitle