[FLINK-39713] Bump log4j, jackson, and Beam to retire CVEs

[spuru9]

What is the purpose of the change

Retire CVEs flagged by Trivy by bumping three direct dependencies. No <dependencyManagement> overrides on transitives.

JIRA: FLINK-39713

Brief change log

• pom.xml: log4j.version 2.23.1 → 2.25.4
• pom.xml: jackson-bom 2.15.0 → 2.21.3
• examples/flink-beam-example/pom.xml: beam.version 2.62.0 → 2.73.0 — retires the 37 Trivy findings in the Beam-transitive chain (kaml, okio, wire-runtime, kafka-clients, opentelemetry-api, spring-*, parallel Netty); example-only scope, beam-runners-flink-1.19 still publishes at 2.73.0 so no runner-artifact change. Per-CVE detail on FLINK-39713.

Residual Netty / lz4-java / commons-lang3 CVEs come through flink-runtime and need a future Flink minor with Netty ≥ 4.1.133.

Verifying this change

Covered by existing tests. Full reactor mvn -B -ntp test on this branch — 2,568 / 0 failures / 0 errors / 0 skipped. Full verification breakdown in the PR comments below.

Does this pull request potentially affect one of the following parts:

• Dependencies: yes (version bumps only)
• Public API / CRDs: no
• Core observer/reconciler logic: no

Documentation

• New feature: no

[spuru9]

@Dennis-Mircea Can you help with a review.

[Dennis-Mircea]

A few things need to be addressed before this is reviewable.

1. The diff does not match the description - PR body and FLINK-39713 say Jackson goes to 2.18.6. The diff says 2.21.3. That is 3 extra minor versions and two more deprecation cycles. Align the body, the JIRA, and the pom, and explain why the larger jump is needed if 2.21.3 is the real target.

2. Jackson is not a low-risk bump here - It is on the serialization path for CommonStatus, the reconciled spec snapshot persisted via StatusRecorder, and the savepoint metadata stored in the CRD. It is also pulled transitively by fabric8, Flink core, and Beam, so a direct override can desync from what those bring in. "Covered by existing tests" does not cover this. Please add a verification note that includes:

   • An upgrade roundtrip: an existing CRD instance reconciled with the current operator still deserializes cleanly after the bump.
   • A mvn dependency:tree cross-check confirming no jackson minor mismatch with Flink's shaded chain or fabric8.
   • Any removed & deprecated APIs we rely on (MapperFeature, JsonInclude, custom serializers).

3. CVE references are incomplete - Listing IDs is a start, but a security-motivated bump needs the actual risk picture. For each advisory (CVE-2025-68161, CVE-2026-34477/78/79/80, GHSA-72hv-8253-57qq), please add:

   • CVSS score and severity (Critical / High / Medium / Low). Without this we cannot tell whether this PR is closing a 9.8 RCE or a 3.1 informational. That difference dictates urgency, backport policy, and whether the larger Jackson jump in (1) is even justified.
   • Fix version per upstream advisory. Confirms the chosen target is the minimum sufficient one and not arbitrary.
   • Link to the upstream advisory for each (NVD, GHSA, or vendor page).

   CVE-2026-3447x are recent enough that not every reviewer will know them by ID, and without scores the PR reads as "Trivy said so" rather than a triaged security decision.

4. Beam 2.62 to 2.73 has no rationale in the body - 11 minor versions is a large jump even for an examples-only module. The JIRA mentions 37 Trivy findings, that justification belongs in the PR description. One line is enough.

Please reconcile (1), add the verification note in (2), and update the description per (3) and (4) before re-requesting review.

[spuru9]

1. Fixed — PR body and FLINK-39713 now both say 2.21.3 (which is what the diff has been all along).
   Picked 2.21.3 over the 2.18.6 minimum because it's the latest stable on Jackson 2.x. Going with 2.18.6 only means re-bumping the next time Trivy flags something newer, and since Jackson 2.x keeps binary
   compatibility, 2.21.3 doesn't add any upgrade risk over 2.18.6.
   Verified with a full unit-test run on this branch (2,568 tests, 0 failures) and mvn dependency:tree (no version mismatch across operator and fabric8 paths).
   Also, Have recently updated the flink depedency to the same version, so to also have a homoginous versioning accross the packages.

2. Verified the bump:

• Scope. Unshaded Jackson only — CRD types, admission webhook, StatusRecorder, SpecUtils, ConfigObjectNodeDeserializer. Autoscaler state-store (AutoScalerSerDeModule,
  KubernetesAutoScalerStateStore, JdbcAutoScalerStateStore) imports from org.apache.flink.shaded.jackson2.* — separate namespace, unaffected.
• Convergence. mvn dependency:tree across all 13 modules: 2.21.3 everywhere, no mismatch with fabric8 or Beam.
• API audit. Zero hits on polymorphic typing, MapperFeature, feature toggles, exotic annotations, ObjectMapper subclasses, or version-pinned JSON fixtures. Only the stable annotation set
  (@JsonInclude, @JsonProperty, @JsonIgnore, @JsonIgnoreProperties, @JsonDeserialize, @JsonCreator).
• Tests. mvn -B -ntp test — 2,568 / 0 / 0 / 0.
• Disclosed. Jackson 2.16 introduced StreamReadConstraints defaults (20 MB string / 1000-digit number / 1000-deep nesting). We don't override; no realistic operator path hits them.

Verdict: safe to ship 2.21.3.

Check in Detail

Verification — jackson-bom 2.15.0 → 2.21.3

Scope. The bump affects the unshaded Jackson chain used by CRD types, the admission webhook, and operator-owned serialization (StatusRecorder, SpecUtils, ConfigObjectNodeDeserializer). It does
not affect the autoscaler state-store path — AutoScalerSerDeModule, KubernetesAutoScalerStateStore, and JdbcAutoScalerStateStore all import from org.apache.flink.shaded.jackson2.* (Flink-shaded
Jackson at 2.14.2-17.0, separate package namespace). Existing autoscaler ConfigMap / JDBC state is therefore unaffected by this bump.

Convergence. mvn dependency:tree -Dincludes='com.fasterxml.jackson*' across all 13 modules: jackson-core / databind / dataformat-yaml / dataformat-xml / datatype-jsr310 / datatype-joda /
module-jsonSchema all on 2.21.3; jackson-annotations on 2.21 (Jackson's canonical label for the annotations artifact). fabric8 7.3.1 and Beam 2.62 / 2.73 both accept the BOM override. No version
mismatch in any module.

API audit. Exhaustive grep across src/main + src/test for patterns that historically break between Jackson minors — zero hits on each:

Pattern	Hits
MapperFeature / SerializationFeature / DeserializationFeature configure	0
enableDefaultTyping / activateDefaultTyping / PolymorphicTypeValidator (biggest 2.x breaking-change surface)	0
StreamReadConstraints / StreamWriteConstraints overrides	0
ServiceLoader / findAndRegisterModules	0
ObjectMapper subclasses	0
@JsonDeserialize(builder=), exotic annotations (@JsonValue, @JsonAny*, @JsonNaming, @JsonFormat, @JsonAlias, @JsonMerge, @JsonUnwrapped, @JsonView, @JsonIdentityInfo, @JsonAutoDetect,
…)	0
Jdk8Module / ParameterNamesModule / version-pinned JSON test fixtures	0

Annotation surface in production is limited to @JsonInclude, @JsonProperty, @JsonIgnore, @JsonIgnoreProperties, @JsonDeserialize (empty marker and using= form), @JsonCreator — all unchanged
2.15 → 2.21. The single production custom deserializer (ConfigObjectNodeDeserializer on AbstractFlinkSpec.flinkConfiguration) uses only JsonParser.readValueAsTree() and standard ObjectNode iteration.

Tests. Full reactor mvn -B -ntp test: 2,568 / 0 failures / 0 errors / 0 skipped. Includes every test that exercises unshaded-Jackson paths — CrdCompatibilityCheckerTest, SpecUtilsTest,
ConfigObjectNodeTest, FlinkOperatorWebhookTest, AdmissionHandlerTest, DefaultRequestMutatorTest, FlinkResourceExceptionUtilsTest.

Verdict — safe to ship 2.21.3. Reactor-wide convergence, scoped-out state-store path, zero hits on every historically-risky pattern, full unit suite green on 2.21.3, and the only behavior change is a
hardening. Residual risk to be honest about: an integration-level CRD upgrade roundtrip on a real cluster isn't something we can run locally — that lives in the committer CI. Static analysis + unit-test
evidence is as airtight as we can get without it.

3. As per the guidelines I received on one of my PRs earlier, Its not a good practive to list the CVEs in the PR, thats why I had it mentioned in the JIRA only. Have added the advisories links as well in a commment in the same JIRA FLINK-39713.
4. Added to the PR description.