Skip to content

[FLINK-37682] Upgrade Jackson Lib to Address CVE-2023-35116 #972

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[FLINK-37682] Upgrade Jackson Lib to Address CVE-2023-35116 #972

wants to merge 1 commit into from

Conversation

@atu-sharm
Copy link

@atu-sharm atu-sharm commented Apr 15, 2025

What is the purpose of the change

Flink Kuberenetes Operator uses jackson with 2.15.0 and has CVE-2023-35116:

CVE-2023-35116: jackson-databind package versions before 2.15.2 are vulnerable to Denial of Service (DoS)
https://nvd.nist.gov/vuln/detail/cve-2023-35116

Brief change log

Upgraded Jackson to 2.16.0

Verifying this change

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

  • Added integration tests for end-to-end deployment with large payloads (100MB)
  • Extended integration test for recovery after master (JobManager) failure
  • Manually verified the change by running a 4 node cluster with 2 JobManagers and 4 TaskManagers, a stateful streaming program, and killing one JobManager and two TaskManagers during the execution, verifying that recovery happens correctly.

Does this pull request potentially affect one of the following parts:

  • Dependencies (does it add or upgrade a dependency): (yes / no)
  • The public API, i.e., is any changes to the CustomResourceDescriptors: (yes / no)
  • Core observer or reconciler logic that is regularly executed: (yes / no)

Documentation

  • Does this pull request introduce a new feature? (yes / no)
  • If yes, how is the feature documented? (not applicable / docs / JavaDocs / not documented)

@gyfora
Copy link
Contributor

gyfora commented Apr 28, 2025

The NOTICE files must be upgraded as well with the changed dependencies

davidradl
davidradl suggested changes Jul 2, 2025
View reviewed changes
Copy link

@davidradl davidradl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you need to amend the notice file in line with this.

@gaborgsomogyi gaborgsomogyi changed the title [FLINK-37682]: Upgrade Jackson Lib to Address CVE-2023-35116 [FLINK-37682] Upgrade Jackson Lib to Address CVE-2023-35116 Aug 26, 2025
@gaborgsomogyi
Copy link
Contributor

gaborgsomogyi commented Aug 26, 2025

Please update the description like Verifying this change section + the already asked NOTICE. It has mid/low score because remote attackers can't exploit it.

@gyfora
Copy link
Contributor

gyfora commented Sep 17, 2025

closing this due to inactivity

@gyfora gyfora closed this Sep 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@davidradl davidradl davidradl requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@atu-sharm @gyfora @gaborgsomogyi @davidradl