flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jens Oberender (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-8170) Security Problems with Netty version 4.0.27.Final
Date Wed, 29 Nov 2017 12:47:00 GMT

    [ https://issues.apache.org/jira/browse/FLINK-8170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16270682#comment-16270682
] 

Jens Oberender commented on FLINK-8170:
---------------------------------------

A workmate also tried to use ElasticSearch 6 with the Flink connector, but there where dependency
problems, because ElasticSearch also uses a newer version of netty (version 4.1.13.Final).

> Security Problems with Netty version 4.0.27.Final
> -------------------------------------------------
>
>                 Key: FLINK-8170
>                 URL: https://issues.apache.org/jira/browse/FLINK-8170
>             Project: Flink
>          Issue Type: Bug
>          Components: Core
>            Reporter: Jens Oberender
>
> I did an OWASP dependency check on my flink project and it reports two problems for netty
version 4.0.27.Final:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2156
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4970
> According to #FLINK-3151  there was a memory problem with newer versions.
> I couldn't find a reference to that problem in the netty issues. Perhaps it's already
fixed with newer versions (netty 4.0.27 was release in Apr, 2015).
> Unfortunatelly I'm not that familiar with flink yet, to build a setup to reproduce the
memory problem. Can anyone try it with a newer version of netty (4.0.53.Final is the latest
of 4.0)?
> I came across an article about finding netty memory leaks with ByteBuf, perhaps that
can help:
> https://logz.io/blog/netty-bytebuf-memory-leak/



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message