Loading...

XML

Word

Printable

Type: Task
Resolution: Unresolved
Priority: Major
Fix Version/s: 3.1.0.TP
Affects Version/s: 3.1.0.TP
Component/s: flink
Labels:
None

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Epic Link:
Security Requirements for Flink TP
Intelligence Requested:
Market:

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

Netty 4.1.100.Final is used directly in Flink and via Flink-Shaded 20.0. This version has several medium to high severity CVEs:

CVE-2024-29025
CVE-2024-47535
CVE-2025-25193
CVE-2025-24970

Both the flink version of netty and the flink shaded version should be insync. Flink 2.1 uses Flink-Shaded 20.0 and we are unlikely to get a new shaded version out and 2.1 upgraded before release.

However, we should upgrade upstream Flink master and flink-shaded to use the 4.1.118 version (newest 4.1.xxx release at time of writing). That should then be part of Flink-shaded 21.0 for future Flink release.

Downstream we will need to patch our internal flink and flink-shaded 20.0 builds.

Assignee:: Unassigned

Reporter:: Thomas Cooper (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2025/07/23 2:23 PM

Updated:: 2025/08/13 10:25 AM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty