Thanks Chesney for info. I can see 1.12.5 is the last release in 1.12.x flink versions. Flink 1.12.6 contains log4j 2.15 and flink 1.12.7 contains log4j 2.16. As per the Apache community it is recommended to upgrade to log4j 2.16. Is there a dependency to release flink 1.12.7 after the release of 1.12.6 only or we can expect both versions within ETA mentioned?
From: Chesnay Schepler <ches...@apache.org> Sent: Wednesday, December 15, 2021 4:56 PM To: V N, Suchithra (Nokia - IN/Bangalore) <suchithra....@nokia.com>; Richard Deurwaarder <rich...@xeli.eu>; user <user@flink.apache.org> Subject: Re: CVE-2021-44228 - Log4j2 vulnerability The current ETA is 40h for an official announcement. We are validating the release today (concludes in 16h), publish it tonight, then wait for mirrors to be sync (about a day), then we announce it. x On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote: Hello, Could you please tell when we can expect Flink 1.12.7 release? We are waiting for the CVE fix. Regards, Suchithra From: Chesnay Schepler <ches...@apache.org><mailto:ches...@apache.org> Sent: Wednesday, December 15, 2021 4:04 PM To: Richard Deurwaarder <rich...@xeli.eu><mailto:rich...@xeli.eu> Cc: user <user@flink.apache.org><mailto:user@flink.apache.org> Subject: Re: CVE-2021-44228 - Log4j2 vulnerability We will also update the docker images. On 15/12/2021 11:29, Richard Deurwaarder wrote: Thanks for picking this up quickly! I saw you've made a second minor upgrade to upgrade to log4j2 2.16 which is perfect. Just to clarify: Will you also push new docker images for these releases as well? In particular flink 1.11.6 (Sorry we must upgrade soon! :() On Tue, Dec 14, 2021 at 2:33 AM narasimha <swamy.haj...@gmail.com<mailto:swamy.haj...@gmail.com>> wrote: Thanks TImo, that was helpful. On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar <prasannakumarram...@gmail.com<mailto:prasannakumarram...@gmail.com>> wrote: Chesnay Thank you for the clarification. On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ches...@apache.org<mailto:ches...@apache.org>> wrote: The flink-shaded-zookeeper jars do not contain log4j. On 13/12/2021 14:11, Prasanna kumar wrote: Does Zookeeper have this vulnerability dependency ? I see references to log4j in Shaded Zookeeper jar included as part of the flink distribution. On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <twal...@apache.org<mailto:twal...@apache.org>> wrote: While we are working to upgrade the affected dependencies of all components, we recommend users follow the advisory of the Apache Log4j Community. Also Ververica platform can be patched with a similar approach: To configure the JVMs used by Ververica Platform, you can pass custom Java options via the JAVA_TOOL_OPTIONS environment variable. Add the following to your platform values.yaml, or append to the existing value of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy the platform with Helm: env: - name: JAVA_TOOL_OPTIONS value: -Dlog4j2.formatMsgNoLookups=true For any questions, please contact us via our support portal. Regards, Timo On 11.12.21 06:45, narasimha wrote: > Folks, what about the veverica platform. Is there any mitigation around it? > > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler > <ches...@apache.org<mailto:ches...@apache.org> > <mailto:ches...@apache.org<mailto:ches...@apache.org>>> wrote: > > I would recommend to modify your log4j configurations to set > log4j2.formatMsgNoLookups to true/./ > / > / > As far as I can tell this is equivalent to upgrading log4j, which > just disabled this lookup by default. > / > / > On 10/12/2021 10:21, Richard Deurwaarder wrote: >> Hello, >> >> There has been a log4j2 vulnerability made public >> https://www.randori.com/blog/cve-2021-44228/ >> <https://www.randori.com/blog/cve-2021-44228/> which is making >> some waves :) >> This post even explicitly mentions Apache Flink: >> >> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/ >> >> <https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/> >> >> And fortunately, I saw this was already on your radar: >> https://issues.apache.org/jira/browse/FLINK-25240 >> <https://issues.apache.org/jira/browse/FLINK-25240> >> >> What would the advice be for flink users? Do you expect to push a >> minor to fix this? Or is it advisable to upgrade to the latest >> log4j2 version manually for now? >> >> Thanks for any advice! > > > > > -- > A.Narasimha Swamy -- A.Narasimha Swamy
