Hello, Could you please tell when we can expect Flink 1.12.7 release? We are waiting for the CVE fix.
Regards, Suchithra From: Chesnay Schepler <ches...@apache.org> Sent: Wednesday, December 15, 2021 4:04 PM To: Richard Deurwaarder <rich...@xeli.eu> Cc: user <user@flink.apache.org> Subject: Re: CVE-2021-44228 - Log4j2 vulnerability We will also update the docker images. On 15/12/2021 11:29, Richard Deurwaarder wrote: Thanks for picking this up quickly! I saw you've made a second minor upgrade to upgrade to log4j2 2.16 which is perfect. Just to clarify: Will you also push new docker images for these releases as well? In particular flink 1.11.6 (Sorry we must upgrade soon! :() On Tue, Dec 14, 2021 at 2:33 AM narasimha <swamy.haj...@gmail.com<mailto:swamy.haj...@gmail.com>> wrote: Thanks TImo, that was helpful. On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar <prasannakumarram...@gmail.com<mailto:prasannakumarram...@gmail.com>> wrote: Chesnay Thank you for the clarification. On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ches...@apache.org<mailto:ches...@apache.org>> wrote: The flink-shaded-zookeeper jars do not contain log4j. On 13/12/2021 14:11, Prasanna kumar wrote: Does Zookeeper have this vulnerability dependency ? I see references to log4j in Shaded Zookeeper jar included as part of the flink distribution. On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <twal...@apache.org<mailto:twal...@apache.org>> wrote: While we are working to upgrade the affected dependencies of all components, we recommend users follow the advisory of the Apache Log4j Community. Also Ververica platform can be patched with a similar approach: To configure the JVMs used by Ververica Platform, you can pass custom Java options via the JAVA_TOOL_OPTIONS environment variable. Add the following to your platform values.yaml, or append to the existing value of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy the platform with Helm: env: - name: JAVA_TOOL_OPTIONS value: -Dlog4j2.formatMsgNoLookups=true For any questions, please contact us via our support portal. Regards, Timo On 11.12.21 06:45, narasimha wrote: > Folks, what about the veverica platform. Is there any mitigation around it? > > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler > <ches...@apache.org<mailto:ches...@apache.org> > <mailto:ches...@apache.org<mailto:ches...@apache.org>>> wrote: > > I would recommend to modify your log4j configurations to set > log4j2.formatMsgNoLookups to true/./ > / > / > As far as I can tell this is equivalent to upgrading log4j, which > just disabled this lookup by default. > / > / > On 10/12/2021 10:21, Richard Deurwaarder wrote: >> Hello, >> >> There has been a log4j2 vulnerability made public >> https://www.randori.com/blog/cve-2021-44228/ >> <https://www.randori.com/blog/cve-2021-44228/> which is making >> some waves :) >> This post even explicitly mentions Apache Flink: >> >> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/ >> >> <https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/> >> >> And fortunately, I saw this was already on your radar: >> https://issues.apache.org/jira/browse/FLINK-25240 >> <https://issues.apache.org/jira/browse/FLINK-25240> >> >> What would the advice be for flink users? Do you expect to push a >> minor to fix this? Or is it advisable to upgrade to the latest >> log4j2 version manually for now? >> >> Thanks for any advice! > > > > > -- > A.Narasimha Swamy -- A.Narasimha Swamy
