You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@flink.apache.org by "Yang Wang (Jira)" <ji...@apache.org> on 2022/05/17 02:53:00 UTC

[jira] [Commented] (FLINK-27654) Older jackson-databind found in /flink-kubernetes-shaded-1.0-SNAPSHOT.jar

    [ https://issues.apache.org/jira/browse/FLINK-27654?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17537889#comment-17537889 ] 

Yang Wang commented on FLINK-27654:
-----------------------------------

Thanks [~jbusche] for reporting this ticket.

It seems that we are bundling the com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile in the flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar. And this version does not have vulnerability.

 

The dependency is introduced by the flink-kubernetes module in the upstream project Flink. You could find the pom here[1].

 

[1]. https://github.com/apache/flink/blob/master/flink-kubernetes/pom.xml#L63

> Older jackson-databind found in /flink-kubernetes-shaded-1.0-SNAPSHOT.jar
> -------------------------------------------------------------------------
>
>                 Key: FLINK-27654
>                 URL: https://issues.apache.org/jira/browse/FLINK-27654
>             Project: Flink
>          Issue Type: Bug
>          Components: Kubernetes Operator
>    Affects Versions: kubernetes-operator-0.1.0
>            Reporter: James Busche
>            Priority: Major
>
> A twistlock security scan of the latest kubernetes flink operator is showing an older version of jackson-databind in the /flink-kubernetes-shaded-1.0-SNAPSHOT.jar file.  I don't know how to control/update the contents of this snapshot file.  
> I see this in the report (Otherwise, everything else looks good!):
> ======
> severity: High
> cvss: 7.5 
> riskFactors: Attack complexity: low,Attack vector: network,DoS,Has fix,High severity
> cve: CVE-2020-36518
> Link: [https://nvd.nist.gov/vuln/detail/CVE-2020-36518]
> packageName: com.fasterxml.jackson.core_jackson-databind
> packagePath: /flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar
> description: jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
> =====
> I'd be glad to try to fix it, I'm just not sure how the jackson-databind versions are controlled in this /flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar 



--
This message was sent by Atlassian Jira
(v8.20.7#820007)