Ververica Platform 2.15.4
Release Date: 2026-01-19
Changelog
Apache Flink®
Ververica Platform 2.15.4 supports the following versions:
- Apache Flink® 1.20
- Apache Flink® 1.19
- Apache Flink® 1.18
Ververica Platform 2.15.4 supports Apache Flink® 1.20, Apache Flink® 1.19, and Apache Flink® 1.18 under SLA.
For Stream Edition:
- 1.18.1-stream5-scala_2.12-java8
- 1.18.1-stream5-scala_2.12-java11
- 1.18.1-stream5-scala_2.12-java17
- 1.19.3-stream2-scala_2.12-java8
- 1.19.3-stream2-scala_2.12-java11
- 1.19.3-stream2-scala_2.12-java17
- 1.20.3-stream1-scala_2.12-java8
- 1.20.3-stream1-scala_2.12-java11
- 1.20.3-stream1-scala_2.12-java17
For Spring Edition the following archives are available:
Improvements
Added Support for New Standard Flink Configuration File and YAML Format
Ververica Platform now supports the standard Flink configuration file and YAML format introduced in Apache Flink 1.19 (FLIP-366). This enables you to define advanced configuration options—such as complex properties like pipeline.serialization-config—using the native block-style YAML syntax supported by Open Source Flink.
With this improvement, you can apply configurations that previously could not be expressed using the legacy format directly, improving compatibility with modern Flink versions and reducing the need for workarounds.
Warning Banner for Missing Blob Storage Configuration
Ververica Platform now displays a clear warning banner when the blob storage configuration is missing. Previously, an empty or incomplete blob storage setup could go unnoticed, potentially leading to deployment or runtime issues. This improvement alerts you when the blob storage configuration is empty, helping prevent misconfiguration and improving operational clarity.
Bug Fixes
REST API YAML Response Support
Resolves an issue in Ververica Platform 2.15.1 where REST API requests using the Accept: application/yaml header failed with a 500 Internal Server Error. This regression affected endpoints such as /api/v1/namespaces/default/deployment-targets and /api/v1/namespaces/default/deployments, disrupting automation and tooling that relied on YAML output. YAML-formatted responses now return correctly when requested via the Accept header.
RocksDB State TTL Cleanup
Addresses an issue affecting state TTL cleanup with RocksDB where serializers such as Kryo could fail during native compaction threads due to a missing user class loader. This long-standing Flink issue (FLINK-16686) is now patched in the Ververica-maintained Flink distribution, ensuring the user class loader is correctly available during RocksDB compaction. This fix is included in vvp-flink 1.20.3-stream1 and is available starting with Ververica Platform 2.15.4, improving stability for workloads using state TTL with RocksDB.
Vulnerability Fixes (inside of Apache Flink®)
VVP Flink 1.20.3 fixes 34 CVEs. Below are some highlights:
- Updated pypi/urllib3 to 2.6.3 to address CVE-2026-21441, CVE-2025-66471, CVE-2025-66418
- Updated pypi/protobuf to 4.25.8 to address CVE-2025-4565
- Updated pypi/pip to 25.3 to address CVE-2026-21441, CVE-2025-66418, CVE-2025-47273, CVE-2024-47081, CVE-2024-3651, CVE-2024-35195, CVE-2023-32681, CVE-2025-8869, CVE-2023-5752
- Updated openssl to 3.0.13 to address CVE-2025-9230
- Updated libpng1.6 1.6.43-5ubuntu0.1 to address CVE-2025-65018, CVE-2025-64720, CVE-2025-64506, CVE-2025-64505
- Updated python to 3.11.14 to address CVE-2025-8291, CVE-2025-8194, CVE-2025-6075, CVE-2025-6069, CVE-2025-13836
Vulnerability Fixes (outside of Apache Flink®)
- Addressed Reflected XSS by adding a CSP header
- Addressed HTML Injection by rejecting HTML in name definitions
- Updated jose4j to 0.9.6 to address CVE-2024-29371
- Updated commons-lang3 to 3.18.0 to address CVE-2025-48924
Upgrade
We recommend upgrading via Helm using the following commands:
$ helm repo add ververica https://charts.ververica.com
$ helm repo update
$ helm upgrade [RELEASE] ververica/ververica-platform --version 5.11.4 --values custom-values.yaml