Ververica Platform 2.15.9

Release Date: 2026-06-05

Overview

This release is a security-focused update designed to address identified vulnerabilities. We recommend that all users upgrade to this version to ensure the continued security and stability of their environments. This patch does not introduce new features or functional changes. In addition to the security patches, this release introduces VVP Flink 1.20.4, which is based on the latest patch release of Apache Flink® 1.20.x.

Changelog

Apache Flink®

Ververica Platform 2.15.9 supports the following versions:

• Apache Flink® 1.20
• Apache Flink® 1.19
• Apache Flink® 1.18

Ververica Platform 2.15.9 supports Apache Flink® 1.20, Apache Flink® 1.19, and Apache Flink® 1.18 under SLA.

For Stream Edition:

• 1.18.1-stream9-scala_2.12-java8
• 1.18.1-stream9-scala_2.12-java11
• 1.18.1-stream9-scala_2.12-java17
• 1.19.3-stream6-scala_2.12-java8
• 1.19.3-stream6-scala_2.12-java11
• 1.19.3-stream6-scala_2.12-java17
• 1.20.4-stream1-scala_2.12-java8
• 1.20.4-stream1-scala_2.12-java11
• 1.20.4-stream1-scala_2.12-java17

For Spring Edition the following archives are available:

• 1.18.1-spring9-scala_2.12.tgz
• 1.19.3-spring6-scala_2.12.tgz
• 1.20.4-spring1-scala_2.12.tgz

Vulnerability Fixes (Inside Apache Flink®)

• Removed bsdutils, libblkid1, libmount1, libsmartcols1, libuuid1, mount, util-linux to address CVE-2026-27456
• Removed dpkg to address CVE-2026-2219
• Removed libc-bin, libc6, locales to address CVE-2026-4046, CVE-2026-4437, CVE-2026-4438, CVE-2026-5435, CVE-2026-6238
• Removed libexpat1 to address CVE-2025-66382
• Removed libgcrypt20 to address CVE-2024-2236, CVE-2026-41989
• Removed libgnutls30t64 to address CVE-2026-33845, CVE-2026-33846, CVE-2026-3832, CVE-2026-3833, CVE-2026-42009, CVE-2026-42010, CVE-2026-42011, CVE-2026-42012, CVE-2026-42013, CVE-2026-42014, CVE-2026-42015, CVE-2026-5260, CVE-2026-5419
• Removed liblzma5 to address CVE-2026-34743
• Removed libpng16-16t64 to address CVE-2026-33416, CVE-2026-33636, CVE-2026-34757
• Removed login, passwd to address CVE-2024-56433
• Removed tar to address CVE-2025-45582, CVE-2026-5704
• Removed wget to address CVE-2021-31879
• Updated idna to 3.18 to address CVE-2026-45409
• Updated org.apache.flink:flink-table-runtime to 1.20.4 to address CVE-2026-35194
• Updated org.apache.logging.log4j:log4j-1.2-api to 2.25.4 to address CVE-2026-34479
• Updated org.apache.logging.log4j:log4j-core to 2.25.4 to address CVE-2025-68161, CVE-2026-34477, CVE-2026-34478, CVE-2026-34480
• Updated urllib3 to 2.7.0 to address CVE-2026-44431, CVE-2026-44432

Vulnerability Fixes (Outside of Apache Flink®)

• Removed bsdutils, libblkid1, libmount1, libsmartcols1, libuuid1, mount, util-linux to address CVE-2026-27456
• Removed gcc-12-base, libgcc-s1, libstdc++6 to address CVE-2022-27943
• Removed libc-bin, libc6, locales to address CVE-2026-4046, CVE-2026-5435, CVE-2026-6238
• Removed libexpat1 to address CVE-2025-66382
• Removed libgcrypt20 to address CVE-2024-2236, CVE-2026-41989
• Removed libgnutls30 to address CVE-2026-33845, CVE-2026-33846, CVE-2026-3832, CVE-2026-3833, CVE-2026-42009, CVE-2026-42010, CVE-2026-42011, CVE-2026-42012, CVE-2026-42013, CVE-2026-42014, CVE-2026-42015, CVE-2026-5260
• Removed liblzma5 to address CVE-2026-34743
• Removed libncurses6, libncursesw6, libtinfo6, ncurses-base, ncurses-bin to address CVE-2023-50495
• Removed libpcre2-8-0 to address CVE-2022-41409
• Removed libpcre3 to address CVE-2017-11164
• Removed libpng to address CVE-2026-40930
• Removed libpng16-16 to address CVE-2026-40930
• Removed libsystemd0, libudev1 to address CVE-2023-7008
• Removed libzstd1 to address CVE-2022-4899
• Removed login, passwd to address CVE-2023-29383, CVE-2024-56433
• Removed tar to address CVE-2025-45582, CVE-2026-5704
• Removed tools.jackson.core:jackson-core to address CVE-2026-29062, GHSA-2m67-wjpj-xhg9, GHSA-72hv-8253-57qq
• Removed wget to address CVE-2021-31879
• Updated idna to 3.18 to address CVE-2026-45409
• Updated io.netty:netty-codec to 4.1.133.Final to address CVE-2026-42583
• Updated io.netty:netty-codec-dns to 4.1.133.Final to address CVE-2026-42579
• Updated io.netty:netty-codec-http to 4.1.133.Final to address CVE-2026-41417, CVE-2026-42580, CVE-2026-42581, CVE-2026-42584, CVE-2026-42585
• Updated io.netty:netty-codec-http, io.netty:netty-codec-http2 to 4.1.133.Final to address CVE-2026-42587
• Updated io.netty:netty-handler-proxy to 4.1.133.Final to address CVE-2026-42578
• Updated io.vertx:vertx-core to 4.5.25 to address CVE-2026-1002
• Updated org.apache.flink:flink-table-runtime to 1.20.4 to address CVE-2026-35194
• Updated org.apache.logging.log4j:log4j-1.2-api to 2.25.4 to address CVE-2026-34479
• Updated org.apache.logging.log4j:log4j-core to 2.25.4 to address CVE-2025-68161, CVE-2026-34477, CVE-2026-34478, CVE-2026-34480
• Updated org.apache.tomcat.embed:tomcat-embed-core to 10.1.55 to address CVE-2026-41284, CVE-2026-41293, CVE-2026-42498, CVE-2026-43512, CVE-2026-43513, CVE-2026-43514, CVE-2026-43515
• Updated org.postgresql:postgresql to 42.7.11 to address CVE-2026-42198
• Updated pip to 26.1.2 to address CVE-2026-3219, CVE-2026-6357
• Updated urllib3 to 2.7.0 to address CVE-2026-44431, CVE-2026-44432

Upgrade

We recommend upgrading with Helm using the following commands:

$ helm repo add ververica https://charts.ververica.com
$ helm repo update
$ helm upgrade [RELEASE] ververica/ververica-platform --version 5.11.9 --values custom-values.yaml