Security #

Security Updates #

This section lists fixed vulnerabilities in Flink.

CVE ID Affected Flink versions Notes
CVE-2020-1960 1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0 to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1.7.0 to 1.7.2, 1.8.0 to 1.8.3, 1.9.0 to 1.9.2, 1.10.0 Users are advised to upgrade to Flink 1.9.3 or 1.10.1 or later versions or remove the port parameter from the reporter configuration (see advisory for details).
CVE-2020-17518 1.5.1 to 1.11.2 Fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4
Users are advised to upgrade to Flink 1.11.3 or 1.12.0 or later versions.
CVE-2020-17519 1.11.0, 1.11.1, 1.11.2 Fixed in commit b561010b0ee741543c3953306037f00d7a9f0801
Users are advised to upgrade to Flink 1.11.3 or 1.12.0 or later versions.
CVE-2023-41834 Flink Stateful Functions 3.1.0, 3.1.1, 3.2.0 Fixed in commit b06c0a23a5a622d48efc8395699b2e4502bd92be
Users are advised to upgrade to Flink Stateful Functions 3.3.0 or later versions.

Frequently Asked Questions #

Apache Flink is a framework for executing user-supplied code in clusters. Users can submit code to Flink processes, which will be executed unconditionally, without any attempts to limit what code can run. Starting other processes, establishing network connections or accessing and modifying local files is possible.

Historically, we’ve received numerous remote code execution vulnerability reports, which we had to reject, as this is by design.

We strongly discourage users to expose Flink processes to the public internet. Within company networks or “cloud” accounts, we recommend restricting access to a Flink cluster via appropriate means.

Thanks a lot for looking into the security of Apache Flink! We appreciate reports improving the security of Flink. We accept vulnerability reports through the Apache Security Team, via their private email address security@apache.org.

If you want to discuss a potential security issue privately with the Flink PMC, you can reach us also via private@flink.apache.org.