Hello,
Following dependency vulnerabilities found with flink 1.12.3 version. Please
provide your input on this.
1. commons-io-2.7
Severity: High
Description: Apache Commons IO contains a flaw that is due to
the program failing to restrict which class can be serialized. This may allow a
remote attacker to execute arbitrary Java code via deserialization methods.
References:
https://issues.apache.org/jira/browse/IO-675
Paths:
/opt/flink/lib/flink-dist_2.11-1.12.3.jar:commons-io (fixed in: 2.8.0)
/opt/flink/lib/flink-table-blink_2.11-1.12.3.jar:commons-io (fixed in: 2.8.0)
1. guava -14.0.1
Severity: High
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-10237
Paths:
/opt/flink/examples/streaming/Twitter.jar:guava (fixed in: 23.6.1, 24.1.1, 25.0)
1. commons-compress-1.20
Severity: High
Desciption: Apache Commons Compress contains a flaw in the
ZipFile::readCentralDirectoryEntry() function in
main/java/org/apache/commons/compress/archivers/zip/ZipFile.java related to an
uncaught exception. This may allow a context-dependent attacker to crash a
process linked against the library.
Paths:
/opt/flink/lib/flink-dist_2.11-1.12.3.jar:commons-compress
/opt/flink/opt/flink-python_2.11-1.12.3.jar:commons-compress
References:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33462
1. flatbuffers-1.9.0
Severity: High
Paths:
/opt/flink/opt/flink-python_2.11-1.12.3.jar:flatbuffers-java
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-35864
1. mesos-1.7.0
Severity: High
Paths:
/opt/flink/lib/flink-dist_2.11-1.12.3.jar:mesos
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-11793
https://nvd.nist.gov/vuln/detail/CVE-2019-0204
https://nvd.nist.gov/vuln/detail/CVE-2019-5736
1. httpclient-4.5.3
Severity: Medium
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-13956
Paths:
/opt/flink/examples/streaming/Twitter.jar:httpclient
Regards,
Suchithra
