You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@flink.apache.org by "Jens Oberender (JIRA)" <ji...@apache.org> on 2017/11/29 12:38:00 UTC

[jira] [Created] (FLINK-8170) Security Problems with Netty version 4.0.27.Final

Jens Oberender created FLINK-8170:
-------------------------------------

             Summary: Security Problems with Netty version 4.0.27.Final
                 Key: FLINK-8170
                 URL: https://issues.apache.org/jira/browse/FLINK-8170
             Project: Flink
          Issue Type: Bug
          Components: Core
            Reporter: Jens Oberender


I did an OWASP dependency check on my flink project and it reports two problems for netty version 4.0.27.Final:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2156
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4970

According to #FLINK-3151  there was a memory problem with newer versions.
I couldn't find a reference to that problem in the netty issues. Perhaps it's already fixed with newer versions (netty 4.0.27 was release in Apr, 2015).
Unfortunatelly I'm not that familiar with flink yet, to build a setup to reproduce the memory problem. Can anyone try it with a newer version of netty (4.0.53.Final is the latest of 4.0)?

I came across an article about finding netty memory leaks with ByteBuf, perhaps that can help:
https://logz.io/blog/netty-bytebuf-memory-leak/



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)