Re: CVE-2021-44228 - Log4j2 vulnerability

Mon, 13 Dec 2021 05:25:44 -0800 

The flink-shaded-zookeeper jars do not contain log4j.

On 13/12/2021 14:11, Prasanna kumar wrote:
Does Zookeeper have this vulnerability dependency ? I see references to log4j in Shaded Zookeeper jar included as part of the flink distribution. 

On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <twal...@apache.org> wrote:

    While we are working to upgrade the affected dependencies of all
    components, we recommend users follow the advisory of the Apache
    Log4j
    Community. Also Ververica platform can be patched with a similar
    approach:

    To configure the JVMs used by Ververica Platform, you can pass custom
    Java options via the JAVA_TOOL_OPTIONS environment variable. Add the
    following to your platform values.yaml, or append to the existing
    value
    of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy
    the platform with Helm:
    env:
       - name: JAVA_TOOL_OPTIONS
         value: -Dlog4j2.formatMsgNoLookups=true


    For any questions, please contact us via our support portal.

    Regards,
    Timo

    On 11.12.21 06:45, narasimha wrote:
    > Folks, what about the veverica platform. Is there any
    mitigation around it?
    >
    > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler
    <ches...@apache.org
    > <mailto:ches...@apache.org>> wrote:
    >
    >     I would recommend to modify your log4j configurations to set
    >     log4j2.formatMsgNoLookups to true/./
    >     /
    >     /
    >     As far as I can tell this is equivalent to upgrading log4j,
    which
    >     just disabled this lookup by default.
    >     /
    >     /
    >     On 10/12/2021 10:21, Richard Deurwaarder wrote:
    >>     Hello,
    >>
    >>     There has been a log4j2 vulnerability made public
    >> https://www.randori.com/blog/cve-2021-44228/
    >>     <https://www.randori.com/blog/cve-2021-44228/> which is making
    >>     some waves :)
    >>     This post even explicitly mentions Apache Flink:
    >>
    
https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
    >>   
     
<https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/>
    >>
    >>     And fortunately, I saw this was already on your radar:
    >> https://issues.apache.org/jira/browse/FLINK-25240
    >>     <https://issues.apache.org/jira/browse/FLINK-25240>
    >>
    >>     What would the advice be for flink users? Do you expect to
    push a
    >>     minor to fix this? Or is it advisable to upgrade to the latest
    >>     log4j2 version manually for now?
    >>
    >>     Thanks for any advice!
    >
    >
    >
    >
    > --
    > A.Narasimha Swamy

Reply via email to