Does Zookeeper have this vulnerability dependency ? I see references to log4j in Shaded Zookeeper jar included as part of the flink distribution.
On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <twal...@apache.org> wrote: > While we are working to upgrade the affected dependencies of all > components, we recommend users follow the advisory of the Apache Log4j > Community. Also Ververica platform can be patched with a similar approach: > > To configure the JVMs used by Ververica Platform, you can pass custom > Java options via the JAVA_TOOL_OPTIONS environment variable. Add the > following to your platform values.yaml, or append to the existing value > of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy > the platform with Helm: > env: > - name: JAVA_TOOL_OPTIONS > value: -Dlog4j2.formatMsgNoLookups=true > > > For any questions, please contact us via our support portal. > > Regards, > Timo > > On 11.12.21 06:45, narasimha wrote: > > Folks, what about the veverica platform. Is there any > mitigation around it? > > > > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <ches...@apache.org > > <mailto:ches...@apache.org>> wrote: > > > > I would recommend to modify your log4j configurations to set > > log4j2.formatMsgNoLookups to true/./ > > / > > / > > As far as I can tell this is equivalent to upgrading log4j, which > > just disabled this lookup by default. > > / > > / > > On 10/12/2021 10:21, Richard Deurwaarder wrote: > >> Hello, > >> > >> There has been a log4j2 vulnerability made public > >> https://www.randori.com/blog/cve-2021-44228/ > >> <https://www.randori.com/blog/cve-2021-44228/> which is making > >> some waves :) > >> This post even explicitly mentions Apache Flink: > >> > https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/ > >> < > https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/ > > > >> > >> And fortunately, I saw this was already on your radar: > >> https://issues.apache.org/jira/browse/FLINK-25240 > >> <https://issues.apache.org/jira/browse/FLINK-25240> > >> > >> What would the advice be for flink users? Do you expect to push a > >> minor to fix this? Or is it advisable to upgrade to the latest > >> log4j2 version manually for now? > >> > >> Thanks for any advice! > > > > > > > > > > -- > > A.Narasimha Swamy > >
