You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@flink.apache.org by Razin Bouzar via user <us...@flink.apache.org> on 2023/03/14 19:38:47 UTC

CVE-2019-14887

Hello,

CVE-2019-14887
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14887> is flagged
as a critical vulnerability in Wildfly 1.0.7.Final. It exists within:

   1. flink-azure-fs-hadoop
   <https://github.com/apache/flink/blob/17b805bc9afcca8776a46c15c3785d9df067ec7e/flink-filesystems/flink-azure-fs-hadoop/src/main/resources/META-INF/NOTICE#L21>
   2. flink-s3-fs-hadoop
   <https://github.com/apache/flink/blob/17b805bc9afcca8776a46c15c3785d9df067ec7e/flink-filesystems/flink-s3-fs-hadoop/src/main/resources/META-INF/NOTICE#L43>
   3. flink-s3-fs-presto
   <https://github.com/apache/flink/blob/54679fd7ddba64e1edfecb5928d025e08a74def8/flink-filesystems/flink-s3-fs-presto/src/main/resources/META-INF/NOTICE#L57>

There is a fix for this CVE in Widlfly v1.0.10.Final. Can we create a Jira
and/or assist with upgrading to 1.0.10?

Thank you,
Razin

-- 
RAZIN BOUZAR
Senior Engineer - Monitoring Cloud | Salesforce
Mobile: 317-502-8995

<https://smart.salesforce.com/sig/rbouzar//us_mb/default/link.html>

Re: CVE-2019-14887

Posted by Martijn Visser <ma...@apache.org>.

Hi Razin,

I believe this is a false positive; the CVE talks about "Wildfly version
7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable" which I
believe are related to https://github.com/wildfly/wildfly-core/

However, the included Wildfly is wildfly-ssl, which I believe is
https://github.com/wildfly-security/wildfly-openssl and uses a different
versioning.

Either way, an upgrade would be depending on Hadoop releasing a newer
version, since this dependency is a transitive dependency from Hadoop.
There is https://issues.apache.org/jira/browse/HADOOP-17717 that has been
closed, but not yet released. Hadoop 3.3.4 is the latest available version,
which is used by Flink's FS implementations.

Best regards,

Martijn

On Tue, Mar 14, 2023 at 8:40 PM Razin Bouzar via user <us...@flink.apache.org>
wrote:

> Hello,
>
> CVE-2019-14887
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14887> is
> flagged as a critical vulnerability in Wildfly 1.0.7.Final. It exists
> within:
>
>    1. flink-azure-fs-hadoop
>    <https://github.com/apache/flink/blob/17b805bc9afcca8776a46c15c3785d9df067ec7e/flink-filesystems/flink-azure-fs-hadoop/src/main/resources/META-INF/NOTICE#L21>
>    2. flink-s3-fs-hadoop
>    <https://github.com/apache/flink/blob/17b805bc9afcca8776a46c15c3785d9df067ec7e/flink-filesystems/flink-s3-fs-hadoop/src/main/resources/META-INF/NOTICE#L43>
>    3. flink-s3-fs-presto
>    <https://github.com/apache/flink/blob/54679fd7ddba64e1edfecb5928d025e08a74def8/flink-filesystems/flink-s3-fs-presto/src/main/resources/META-INF/NOTICE#L57>
>
> There is a fix for this CVE in Widlfly v1.0.10.Final. Can we create a Jira
> and/or assist with upgrading to 1.0.10?
>
> Thank you,
> Razin
>
> --
> RAZIN BOUZAR
> Senior Engineer - Monitoring Cloud | Salesforce
> Mobile: 317-502-8995
>
> <https://smart.salesforce.com/sig/rbouzar//us_mb/default/link.html>
>