The flink-metrics-otel module in the main Flink repo is using opentelemetry version 1.30.1. This is vulnerable to CVE-2023-3635 via the okio library used in the okhttp3 library which is fixed in the Flink root pom.

Upgrading this library is made difficult by the fact that later version of OTEL use an okhttp3 version which switches to Kotlin and pulls in the Kotlin runtime. Flink explicitly want to avoid pulling that in so have fixes the okhttp3 at the latest 3.x release (3.14.9) which uses a vulnerable okio (1.17.2) version.

There is a fixed okio version (1.17.6) available so we could override the version used by okhttp3, however a much older version of okio is also used by hadoop2 and so we will mostly need to be selective about how and where the override is applied.

We should first investigate if we are effected by the CVE and if so then look at how to patch the issue.