Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-29065

Flink v1.15.1 contains netty(version:3.10.6). There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx

    XMLWordPrintableJSON

Details

    Description

      Though FLINK-22441 states it's fixed, we can still see Netty 3.10.6 is used in the latest version: https://github.com/apache/flink/blob/master/flink-rpc/flink-rpc-akka/pom.xml#L102 and it show up in the security scan results:

       

      Netty Project 3.10.6.Final BDSA-2018-4022 MEDIUM 4.7
      Netty Project 3.10.6.Final BDSA-2019-2642 MEDIUM 6.5
      Netty Project 3.10.6.Final BDSA-2019-2643 MEDIUM 6.7
      Netty Project 3.10.6.Final BDSA-2019-2649 MEDIUM 6.5
      Netty Project 3.10.6.Final BDSA-2019-2610 HIGH 7.2
      Netty Project 3.10.6.Final CVE-2019-16869 (BDSA-2019-3119) HIGH 7.5
      Netty Project 3.10.6.Final BDSA-2020-0130 HIGH 8.8
      Netty Project 3.10.6.Final CVE-2019-20444 (BDSA-2019-4231) CRITICAL 9.1
      Netty Project 3.10.6.Final CVE-2019-20445 (BDSA-2019-4230) CRITICAL 9.1
      Netty Project 3.10.6.Final BDSA-2020-0666 MEDIUM 6.5
      Netty Project 3.10.6.Final CVE-2021-21290 (BDSA-2021-0311) MEDIUM 5.5
      Netty Project 3.10.6.Final CVE-2021-21295 (BDSA-2021-0589) MEDIUM 5.9
      Netty Project 3.10.6.Final CVE-2021-21409 (BDSA-2021-0828) MEDIUM 5.9
      Netty Project 3.10.6.Final CVE-2021-37136 HIGH 7.5
      Netty Project 3.10.6.Final CVE-2021-37137 HIGH 7.5
      Netty Project 3.10.6.Final CVE-2021-43797 (BDSA-2021-3741) MEDIUM 6.5
      Netty Project 3.10.6.Final CVE-2022-24823 MEDIUM 5.5

      Attachments

        Issue Links

          duplicates

          Technical Debt - FLINK-31217 Update netty to current

          • Major - Major loss of function.
          • Closed
          is a clone of

          Bug - A problem which impairs or prevents the functions of the product. FLINK-22441 In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx

          • Not a Priority -
          • Closed
          is fixed by

          Technical Debt - FLINK-36510 Upgrade Pekko from 1.0.1 to 1.1.2

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              liuhb86 Hongbo
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: