The 1.12.6 release was cancelled as a new log4j CVE was discovered during the release finalization. We will only release 1.12.7. Our recommendation is to upgrade to 1.12.7 once it is released.

On 15/12/2021 14:03, V N, Suchithra (Nokia - IN/Bangalore) wrote:

Thanks Chesney for info. I can see 1.12.5 is the last release in 1.12.x flink versions. Flink 1.12.6 contains log4j 2.15 and flink 1.12.7 contains log4j 2.16.

As per the Apache community it is recommended to upgrade to log4j 2.16.  Is there a dependency to release flink 1.12.7 after the release of 1.12.6 only or we can expect both versions within ETA mentioned?

*From:*Chesnay Schepler <ches...@apache.org>
*Sent:* Wednesday, December 15, 2021 4:56 PM
*To:* V N, Suchithra (Nokia - IN/Bangalore) <suchithra....@nokia.com>; Richard Deurwaarder <rich...@xeli.eu>; user <user@flink.apache.org>
*Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability

The current ETA is 40h for an official announcement.

We are validating the release today (concludes in 16h), publish it tonight, then wait for mirrors to be sync (about a day), then we announce it. x

On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote:

    Hello,

    Could you please tell when we can expect Flink 1.12.7 release? We
    are waiting for the CVE fix.

    Regards,

    Suchithra

    *From:*Chesnay Schepler <ches...@apache.org>
    <mailto:ches...@apache.org>
    *Sent:* Wednesday, December 15, 2021 4:04 PM
    *To:* Richard Deurwaarder <rich...@xeli.eu> <mailto:rich...@xeli.eu>
    *Cc:* user <user@flink.apache.org> <mailto:user@flink.apache.org>
    *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability

    We will also update the docker images.

    On 15/12/2021 11:29, Richard Deurwaarder wrote:

        Thanks for picking this up quickly!

        I saw you've made a second minor upgrade to upgrade to log4j2
        2.16 which is perfect.

        Just to clarify: Will you also push new docker images for
        these releases as well? In particular flink 1.11.6 (Sorry we
        must upgrade soon! :()

        On Tue, Dec 14, 2021 at 2:33 AM narasimha
        <swamy.haj...@gmail.com> wrote:

            Thanks TImo, that was helpful.

            On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar
            <prasannakumarram...@gmail.com> wrote:

                Chesnay Thank you for the clarification.

                On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler
                <ches...@apache.org> wrote:

                    The flink-shaded-zookeeper jars do not contain log4j.

                    On 13/12/2021 14:11, Prasanna kumar wrote:

                        Does Zookeeper have this vulnerability
                        dependency ? I see references to log4j in
                        Shaded Zookeeper jar included as part of the
                        flink distribution.

                        On Mon, Dec 13, 2021 at 1:40 PM Timo Walther
                        <twal...@apache.org> wrote:

                            While we are working to upgrade the
                            affected dependencies of all
                            components, we recommend users follow the
                            advisory of the Apache Log4j
                            Community. Also Ververica platform can be
                            patched with a similar approach:

                            To configure the JVMs used by Ververica
                            Platform, you can pass custom
                            Java options via the JAVA_TOOL_OPTIONS
                            environment variable. Add the
                            following to your platform values.yaml, or
                            append to the existing value
                            of JAVA_TOOL_OPTIONS if you are using it
                            already there, then redeploy
                            the platform with Helm:
                            env:
                               - name: JAVA_TOOL_OPTIONS
                                 value: -Dlog4j2.formatMsgNoLookups=true


                            For any questions, please contact us via
                            our support portal.

                            Regards,
                            Timo

                            On 11.12.21 06:45, narasimha wrote:
                            > Folks, what about the veverica platform.
                            Is there any mitigation around it?
                            >
                            > On Fri, Dec 10, 2021 at 3:32 PM Chesnay
                            Schepler <ches...@apache.org
                            > <mailto:ches...@apache.org>> wrote:
                            >
                            >     I would recommend to modify your
                            log4j configurations to set
                            >     log4j2.formatMsgNoLookups to true/./
                            >     /
                            >     /
                            >     As far as I can tell this is
                            equivalent to upgrading log4j, which
                            >     just disabled this lookup by default.
                            >     /
                            >     /
                            >     On 10/12/2021 10:21, Richard
                            Deurwaarder wrote:
                            >>     Hello,
                            >>
                            >>     There has been a log4j2
                            vulnerability made public
                            >>
                            https://www.randori.com/blog/cve-2021-44228/
                            >>   
                             <https://www.randori.com/blog/cve-2021-44228/>
                            which is making
                            >>     some waves :)
                            >>     This post even explicitly mentions
                            Apache Flink:
                            >>
                            
https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
                            >>   
                             
<https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/>
                            >>
                            >>     And fortunately, I saw this was
                            already on your radar:
                            >>
                            https://issues.apache.org/jira/browse/FLINK-25240
                            >>   
                             <https://issues.apache.org/jira/browse/FLINK-25240>
                            >>
                            >>     What would the advice be for flink
                            users? Do you expect to push a
                            >>     minor to fix this? Or is it
                            advisable to upgrade to the latest
                            >>     log4j2 version manually for now?
                            >>
                            >>     Thanks for any advice!
                            >
                            >
                            >
                            >
                            > --
                            > A.Narasimha Swamy


--
            A.Narasimha Swamy

Reply via email to