Folks, what about the veverica platform. Is there any mitigation around it?
On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <ches...@apache.org> wrote: > I would recommend to modify your log4j configurations to set > log4j2.formatMsgNoLookups to true*.* > > As far as I can tell this is equivalent to upgrading log4j, which just > disabled this lookup by default. > > On 10/12/2021 10:21, Richard Deurwaarder wrote: > > Hello, > > There has been a log4j2 vulnerability made public > https://www.randori.com/blog/cve-2021-44228/ which is making some waves :) > This post even explicitly mentions Apache Flink: > https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/ > > And fortunately, I saw this was already on your radar: > https://issues.apache.org/jira/browse/FLINK-25240 > > What would the advice be for flink users? Do you expect to push a minor to > fix this? Or is it advisable to upgrade to the latest log4j2 version > manually for now? > > Thanks for any advice! > > > -- A.Narasimha Swamy
