You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "Robert Metzger (Jira)" <ji...@apache.org> on 2020/08/14 04:44:00 UTC
[jira] [Commented] (FLINK-18841) CVE-2018-10237 and CWE-400
occurred in flink dependency
[ https://issues.apache.org/jira/browse/FLINK-18841?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17177478#comment-17177478 ]
Robert Metzger commented on FLINK-18841:
----------------------------------------
Re CVE-2018-10237, there's been recently a discussion on the dev@ list: It seems that Flink is not using Guava for serialization, thus we are not affected by this issue: https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cdev.flink.apache.org%3E
> CVE-2018-10237 and CWE-400 occurred in flink dependency
> --------------------------------------------------------
>
> Key: FLINK-18841
> URL: https://issues.apache.org/jira/browse/FLINK-18841
> Project: Flink
> Issue Type: Bug
> Components: Table SQL / Planner
> Affects Versions: 1.11.1
> Environment: flink:1.11.1
> scala:2.11
> Reporter: Jeff Hu
> Priority: Major
>
> CVE-2018-10237 and CWE-400 caused by the jar {{com.google.guava:guava:18.0}} depended in {{flink-shaded-guava-18.0-6.0.jar}} & {{ flink-table-planner_2.11-1.11.1.jar}}. Since that these dependencies are internal reference from flink.
> [https://github.com/apache/flink/blob/master/pom.xml]
> |<!-- WARN:|
> | DO NOT put guava,|
> | protobuf,|
> | asm,|
> | netty|
> | here. It will overwrite Hadoop's guava dependency (even though we handle it|
> | separatly in the flink-shaded-hadoop-2 dependency).|
> | -->|
> |<dependencies>|
> | |
> |<dependency>|
> |<groupId>org.apache.flink</groupId>|
> |<artifactId>flink-shaded-asm-7</artifactId>|
> |<version>7.1-${flink.shaded.version}</version>|
> |</dependency>|
> | |
> |<dependency>|
> |<groupId>org.apache.flink</groupId>|
> |<artifactId>flink-shaded-guava</artifactId>|
> |<version>18.0-${flink.shaded.version}</version>|
> </dependency>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)