The 1.12.6 release was cancelled as a new log4j CVE was discovered
during the release finalization.
We will only release 1.12.7. Our recommendation is to upgrade to 1.12.7
once it is released.
On 15/12/2021 14:03, V N, Suchithra (Nokia - IN/Bangalore) wrote:
Thanks Chesney for info. I can see 1.12.5 is the last release in
1.12.x flink versions. Flink 1.12.6 contains log4j 2.15 and flink
1.12.7 contains log4j 2.16.
As per the Apache community it is recommended to upgrade to log4j
2.16. Is there a dependency to release flink 1.12.7 after the release
of 1.12.6 only or we can expect both versions within ETA mentioned?
*From:*Chesnay Schepler <ches...@apache.org>
*Sent:* Wednesday, December 15, 2021 4:56 PM
*To:* V N, Suchithra (Nokia - IN/Bangalore) <suchithra....@nokia.com>;
Richard Deurwaarder <rich...@xeli.eu>; user <user@flink.apache.org>
*Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
The current ETA is 40h for an official announcement.
We are validating the release today (concludes in 16h), publish it
tonight, then wait for mirrors to be sync (about a day), then we
announce it. x
On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote:
Hello,
Could you please tell when we can expect Flink 1.12.7 release? We
are waiting for the CVE fix.
Regards,
Suchithra
*From:*Chesnay Schepler <ches...@apache.org>
<mailto:ches...@apache.org>
*Sent:* Wednesday, December 15, 2021 4:04 PM
*To:* Richard Deurwaarder <rich...@xeli.eu> <mailto:rich...@xeli.eu>
*Cc:* user <user@flink.apache.org> <mailto:user@flink.apache.org>
*Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
We will also update the docker images.
On 15/12/2021 11:29, Richard Deurwaarder wrote:
Thanks for picking this up quickly!
I saw you've made a second minor upgrade to upgrade to log4j2
2.16 which is perfect.
Just to clarify: Will you also push new docker images for
these releases as well? In particular flink 1.11.6 (Sorry we
must upgrade soon! :()
On Tue, Dec 14, 2021 at 2:33 AM narasimha
<swamy.haj...@gmail.com> wrote:
Thanks TImo, that was helpful.
On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar
<prasannakumarram...@gmail.com> wrote:
Chesnay Thank you for the clarification.
On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler
<ches...@apache.org> wrote:
The flink-shaded-zookeeper jars do not contain log4j.
On 13/12/2021 14:11, Prasanna kumar wrote:
Does Zookeeper have this vulnerability
dependency ? I see references to log4j in
Shaded Zookeeper jar included as part of the
flink distribution.
On Mon, Dec 13, 2021 at 1:40 PM Timo Walther
<twal...@apache.org> wrote:
While we are working to upgrade the
affected dependencies of all
components, we recommend users follow the
advisory of the Apache Log4j
Community. Also Ververica platform can be
patched with a similar approach:
To configure the JVMs used by Ververica
Platform, you can pass custom
Java options via the JAVA_TOOL_OPTIONS
environment variable. Add the
following to your platform values.yaml, or
append to the existing value
of JAVA_TOOL_OPTIONS if you are using it
already there, then redeploy
the platform with Helm:
env:
- name: JAVA_TOOL_OPTIONS
value: -Dlog4j2.formatMsgNoLookups=true
For any questions, please contact us via
our support portal.
Regards,
Timo
On 11.12.21 06:45, narasimha wrote:
> Folks, what about the veverica platform.
Is there any mitigation around it?
>
> On Fri, Dec 10, 2021 at 3:32 PM Chesnay
Schepler <ches...@apache.org
> <mailto:ches...@apache.org>> wrote:
>
> I would recommend to modify your
log4j configurations to set
> log4j2.formatMsgNoLookups to true/./
> /
> /
> As far as I can tell this is
equivalent to upgrading log4j, which
> just disabled this lookup by default.
> /
> /
> On 10/12/2021 10:21, Richard
Deurwaarder wrote:
>> Hello,
>>
>> There has been a log4j2
vulnerability made public
>>
https://www.randori.com/blog/cve-2021-44228/
>>
<https://www.randori.com/blog/cve-2021-44228/>
which is making
>> some waves :)
>> This post even explicitly mentions
Apache Flink:
>>
https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
>>
<https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/>
>>
>> And fortunately, I saw this was
already on your radar:
>>
https://issues.apache.org/jira/browse/FLINK-25240
>>
<https://issues.apache.org/jira/browse/FLINK-25240>
>>
>> What would the advice be for flink
users? Do you expect to push a
>> minor to fix this? Or is it
advisable to upgrade to the latest
>> log4j2 version manually for now?
>>
>> Thanks for any advice!
>
>
>
>
> --
> A.Narasimha Swamy
--
A.Narasimha Swamy