Thanks for picking this up quickly!

I saw you've made a second minor upgrade to upgrade to log4j2 2.16 which is
perfect.

Just to clarify: Will you also push new docker images for these releases as
well? In particular flink 1.11.6 (Sorry we must upgrade soon! :()

On Tue, Dec 14, 2021 at 2:33 AM narasimha <swamy.haj...@gmail.com> wrote:

> Thanks TImo, that was helpful.
>
> On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar <
> prasannakumarram...@gmail.com> wrote:
>
>> Chesnay Thank you for the clarification.
>>
>> On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ches...@apache.org>
>> wrote:
>>
>>> The flink-shaded-zookeeper jars do not contain log4j.
>>>
>>> On 13/12/2021 14:11, Prasanna kumar wrote:
>>>
>>> Does Zookeeper have this vulnerability dependency ? I see references to
>>> log4j in Shaded Zookeeper jar included as part of the flink distribution.
>>>
>>> On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <twal...@apache.org> wrote:
>>>
>>>> While we are working to upgrade the affected dependencies of all
>>>> components, we recommend users follow the advisory of the Apache Log4j
>>>> Community. Also Ververica platform can be patched with a similar
>>>> approach:
>>>>
>>>> To configure the JVMs used by Ververica Platform, you can pass custom
>>>> Java options via the JAVA_TOOL_OPTIONS environment variable. Add the
>>>> following to your platform values.yaml, or append to the existing value
>>>> of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy
>>>> the platform with Helm:
>>>> env:
>>>>    - name: JAVA_TOOL_OPTIONS
>>>>      value: -Dlog4j2.formatMsgNoLookups=true
>>>>
>>>>
>>>> For any questions, please contact us via our support portal.
>>>>
>>>> Regards,
>>>> Timo
>>>>
>>>> On 11.12.21 06:45, narasimha wrote:
>>>> > Folks, what about the veverica platform. Is there any
>>>> mitigation around it?
>>>> >
>>>> > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <ches...@apache.org
>>>> > <mailto:ches...@apache.org>> wrote:
>>>> >
>>>> >     I would recommend to modify your log4j configurations to set
>>>> >     log4j2.formatMsgNoLookups to true/./
>>>> >     /
>>>> >     /
>>>> >     As far as I can tell this is equivalent to upgrading log4j, which
>>>> >     just disabled this lookup by default.
>>>> >     /
>>>> >     /
>>>> >     On 10/12/2021 10:21, Richard Deurwaarder wrote:
>>>> >>     Hello,
>>>> >>
>>>> >>     There has been a log4j2 vulnerability made public
>>>> >>     https://www.randori.com/blog/cve-2021-44228/
>>>> >>     <https://www.randori.com/blog/cve-2021-44228/> which is making
>>>> >>     some waves :)
>>>> >>     This post even explicitly mentions Apache Flink:
>>>> >>
>>>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
>>>> >>     <
>>>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
>>>> >
>>>> >>
>>>> >>     And fortunately, I saw this was already on your radar:
>>>> >>     https://issues.apache.org/jira/browse/FLINK-25240
>>>> >>     <https://issues.apache.org/jira/browse/FLINK-25240>
>>>> >>
>>>> >>     What would the advice be for flink users? Do you expect to push a
>>>> >>     minor to fix this? Or is it advisable to upgrade to the latest
>>>> >>     log4j2 version manually for now?
>>>> >>
>>>> >>     Thanks for any advice!
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > A.Narasimha Swamy
>>>>
>>>>
>>>
>
> --
> A.Narasimha Swamy
>

Reply via email to