Ververica Platform 2.15.8
Release Date: 2026-05-11
Changelog
Apache Flink®
Ververica Platform 2.15.8 supports the following versions:
- Apache Flink® 1.20
- Apache Flink® 1.19
- Apache Flink® 1.18
Ververica Platform 2.15.8 supports Apache Flink® 1.20, Apache Flink® 1.19, and Apache Flink® 1.18 under SLA.
For Stream Edition:
- 1.18.1-stream8-scala_2.12-java8
- 1.18.1-stream8-scala_2.12-java11
- 1.18.1-stream8-scala_2.12-java17
- 1.19.3-stream5-scala_2.12-java8
- 1.19.3-stream5-scala_2.12-java11
- 1.19.3-stream5-scala_2.12-java17
- 1.20.3-stream4-scala_2.12-java8
- 1.20.3-stream4-scala_2.12-java11
- 1.20.3-stream4-scala_2.12-java17
For Spring Edition the following archives are available:
Improvements
Configurable Artifact Temporary Directory
Ververica Platform now supports configuring a custom temporary directory for artifact submission in Session cluster deployments. For details, see Artifact Storage.
NATIVE Savepoint Format Support
The Ververica Platform API now supports triggering savepoints in NATIVE format. For details, see Savepoints.
Bug Fixes
Restore Mode CLAIM Empty Arguments
An issue was identified where an empty argument was passed to the job when Ververica Platform submitted a restoreMode argument to a Flink job that already included user-defined arguments. The fix is included in the Ververica Platform Flink versions delivered with Ververica Platform 2.15.8.
Vulnerability Fixes (Inside Apache Flink®)
- Updated curl, libcurl4t64 to 8.5.0-2ubuntu10.9 to address CVE-2025-0167, CVE-2026-1965, CVE-2026-3783, CVE-2026-3784, CVE-2026-4873, CVE-2026-5545, CVE-2026-5773, CVE-2026-6253, CVE-2026-6276, CVE-2026-6429, CVE-2026-7168
- Updated libcap2 to 1:2.66-5ubuntu2.4 to address CVE-2026-4878
- Updated libfreetype6 to 2.13.2+dfsg-1ubuntu0.1 to address CVE-2026-23865
- Updated libnghttp2-14 to 1.59.0-1ubuntu0.3 to address CVE-2026-27135
- Updated libssh-4 to 0.10.6-2ubuntu0.4 to address CVE-2026-3731
- Updated libssl3t64, openssl to 3.0.13-0ubuntu3.9 to address CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31789, CVE-2026-31790
- Updated libsystemd0, libudev1 to 255.4-1ubuntu8.15 to address CVE-2026-29111
- Updated pip to 26.1.1 to address CVE-2026-3219, CVE-2026-6357
- Updated requests to 2.33.1 to address CVE-2026-25645
- Updated sed to 4.9-2ubuntu0.24.04.1 to address CVE-2026-5958
Vulnerability Fixes (Outside of Apache Flink®)
- Updated com.fasterxml.jackson.core:jackson-core to 2.21.2 to address GHSA-72hv-8253-57qq
- Updated curl, libcurl4 to 7.81.0-1ubuntu1.24 to address CVE-2025-0167, CVE-2026-1965, CVE-2026-3783, CVE-2026-3784, CVE-2026-4873, CVE-2026-5545, CVE-2026-5773, CVE-2026-6253, CVE-2026-6276, CVE-2026-6429, CVE-2026-7168
- Updated gnutls to 3.8.13-r0 to address CVE-2026-33845, CVE-2026-33846, CVE-2026-3832, CVE-2026-3833, CVE-2026-42009, CVE-2026-42010, CVE-2026-42011, CVE-2026-42012, CVE-2026-42013, CVE-2026-42014, CVE-2026-42015, CVE-2026-5260, CVE-2026-5419
- Updated io.netty:netty-codec-http to 4.1.132.Final to address CVE-2026-33870
- Updated io.netty:netty-codec-http2 to 4.1.132.Final to address CVE-2026-33871
- Updated libcap2 to 1:2.44-1ubuntu0.22.04.3 to address CVE-2026-4878
- Updated libcrypto3, libssl3, openssl to 3.5.6-r0 to address CVE-2026-2673, CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31789, CVE-2026-31790
- Updated libexpat to 2.7.5-r0 to address CVE-2026-32776, CVE-2026-32777, CVE-2026-32778
- Updated libnghttp2-14 to 1.43.0-1ubuntu0.3 to address CVE-2026-27135
- Updated libpng to 1.6.57-r0 to address CVE-2026-33416, CVE-2026-33636, CVE-2026-34757
- Updated libpng16-16 to 1.6.37-3ubuntu0.5 to address CVE-2026-33416, CVE-2026-33636, CVE-2026-34757
- Updated libssh-4 to 0.9.6-2ubuntu0.22.04.7 to address CVE-2026-3731
- Updated libssl3, openssl to 3.0.2-0ubuntu1.23 to address CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31789, CVE-2026-31790
- Updated libsystemd0, libudev1 to 249.11-0ubuntu3.20 to address CVE-2026-29111
- Updated musl, musl-utils to 1.2.5-r23 to address CVE-2026-40200, CVE-2026-6042
- Updated org.apache.tomcat.embed:tomcat-embed-core to 10.1.54 to address CVE-2026-24734, CVE-2026-25854, CVE-2026-29145, CVE-2026-32990, CVE-2026-34483, CVE-2026-34487, CVE-2026-34500
- Updated org.bouncycastle:bcpg-jdk18on to 1.84 to address CVE-2026-3505
- Updated org.bouncycastle:bcpkix-jdk18on to 1.84 to address CVE-2026-5588
- Updated org.bouncycastle:bcprov-jdk18on to 1.84 to address CVE-2026-0636, CVE-2026-5598
- Updated org.springframework.boot:spring-boot to 3.5.14 to address CVE-2026-40973
- Updated org.springframework.security:spring-security-core to 6.5.10 to address CVE-2026-22746, CVE-2026-22751
- Updated org.springframework.security:spring-security-oauth2-jose to 6.5.10 to address CVE-2026-22748
- Updated org.springframework.security:spring-security-web to 6.5.10 to address CVE-2026-22732
- Updated org.springframework:spring-webmvc to 6.2.18 to address CVE-2026-22735, CVE-2026-22737, CVE-2026-22741, CVE-2026-22745
- Updated org.thymeleaf:thymeleaf, org.thymeleaf:thymeleaf-spring6 to 3.1.5.RELEASE to address CVE-2026-40477, CVE-2026-40478, CVE-2026-41901
- Updated requests to 2.33.1 to address CVE-2026-25645
- Updated sed to 4.8-1ubuntu2.1 to address CVE-2026-5958
- Updated zlib to 1.3.2-r0 to address CVE-2026-22184, CVE-2026-27171
Upgrade
We recommend upgrading with Helm using the following commands:
$ helm repo add ververica https://charts.ververica.com
$ helm repo update
$ helm upgrade [RELEASE] ververica/ververica-platform --version 5.11.8 --values custom-values.yaml