While we are working to upgrade the affected dependencies of all
components, we recommend users follow the advisory of the Apache Log4j
Community. Also Ververica platform can be patched with a similar approach:
To configure the JVMs used by Ververica Platform, you can pass custom
Java options via the JAVA_TOOL_OPTIONS environment variable. Add the
following to your platform values.yaml, or append to the existing value
of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy
the platform with Helm:
env:
- name: JAVA_TOOL_OPTIONS
value: -Dlog4j2.formatMsgNoLookups=true
For any questions, please contact us via our support portal.
Regards,
Timo
On 11.12.21 06:45, narasimha wrote:
Folks, what about the veverica platform. Is there any mitigation around it?
On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <ches...@apache.org
<mailto:ches...@apache.org>> wrote:
I would recommend to modify your log4j configurations to set
log4j2.formatMsgNoLookups to true/./
/
/
As far as I can tell this is equivalent to upgrading log4j, which
just disabled this lookup by default.
/
/
On 10/12/2021 10:21, Richard Deurwaarder wrote:
Hello,
There has been a log4j2 vulnerability made public
https://www.randori.com/blog/cve-2021-44228/
<https://www.randori.com/blog/cve-2021-44228/> which is making
some waves :)
This post even explicitly mentions Apache Flink:
https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
<https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/>
And fortunately, I saw this was already on your radar:
https://issues.apache.org/jira/browse/FLINK-25240
<https://issues.apache.org/jira/browse/FLINK-25240>
What would the advice be for flink users? Do you expect to push a
minor to fix this? Or is it advisable to upgrade to the latest
log4j2 version manually for now?
Thanks for any advice!
--
A.Narasimha Swamy
