We will also update the docker images.

On 15/12/2021 11:29, Richard Deurwaarder wrote:
Thanks for picking this up quickly!

I saw you've made a second minor upgrade to upgrade to log4j2 2.16 which is perfect.

Just to clarify: Will you also push new docker images for these releases as well? In particular flink 1.11.6 (Sorry we must upgrade soon! :()

On Tue, Dec 14, 2021 at 2:33 AM narasimha <swamy.haj...@gmail.com> wrote:

    Thanks TImo, that was helpful.

    On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar
    <prasannakumarram...@gmail.com> wrote:

        Chesnay Thank you for the clarification.

        On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler
        <ches...@apache.org> wrote:

            The flink-shaded-zookeeper jars do not contain log4j.

            On 13/12/2021 14:11, Prasanna kumar wrote:
            Does Zookeeper have this vulnerability dependency ? I see
            references to log4j in Shaded Zookeeper jar included as
            part of the flink distribution.

            On Mon, Dec 13, 2021 at 1:40 PM Timo Walther
            <twal...@apache.org> wrote:

                While we are working to upgrade the affected
                dependencies of all
                components, we recommend users follow the advisory of
                the Apache Log4j
                Community. Also Ververica platform can be patched
                with a similar approach:

                To configure the JVMs used by Ververica Platform, you
                can pass custom
                Java options via the JAVA_TOOL_OPTIONS environment
                variable. Add the
                following to your platform values.yaml, or append to
                the existing value
                of JAVA_TOOL_OPTIONS if you are using it already
                there, then redeploy
                the platform with Helm:
                env:
                   - name: JAVA_TOOL_OPTIONS
                     value: -Dlog4j2.formatMsgNoLookups=true


                For any questions, please contact us via our support
                portal.

                Regards,
                Timo

                On 11.12.21 06:45, narasimha wrote:
                > Folks, what about the veverica platform. Is there
                any mitigation around it?
                >
                > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler
                <ches...@apache.org
                > <mailto:ches...@apache.org>> wrote:
                >
                >     I would recommend to modify your log4j
                configurations to set
                >     log4j2.formatMsgNoLookups to true/./
                >     /
                >     /
                >     As far as I can tell this is equivalent to
                upgrading log4j, which
                >     just disabled this lookup by default.
                >     /
                >     /
                >     On 10/12/2021 10:21, Richard Deurwaarder wrote:
                >>     Hello,
                >>
                >>     There has been a log4j2 vulnerability made public
                >> https://www.randori.com/blog/cve-2021-44228/
                >>     <https://www.randori.com/blog/cve-2021-44228/>
                which is making
                >>     some waves :)
                >>     This post even explicitly mentions Apache Flink:
                >>
                
https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
                >>   
                 
<https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/>
                >>
                >>     And fortunately, I saw this was already on
                your radar:
                >> https://issues.apache.org/jira/browse/FLINK-25240
                >>   
                 <https://issues.apache.org/jira/browse/FLINK-25240>
                >>
                >>     What would the advice be for flink users? Do
                you expect to push a
                >>     minor to fix this? Or is it advisable to
                upgrade to the latest
                >>     log4j2 version manually for now?
                >>
                >>     Thanks for any advice!
                >
                >
                >
                >
                > --
                > A.Narasimha Swamy




-- A.Narasimha Swamy

Reply via email to