Hi, The status and Flink ticket for upgrading to Log4j 2.17.0 can be tracked at https://issues.apache.org/jira/browse/FLINK-25375.
Best regards, Martijn On Sat, 18 Dec 2021 at 16:50, V N, Suchithra (Nokia - IN/Bangalore) < suchithra....@nokia.com> wrote: > Hi, > > > > It seems there is high severity vulnerability in log4j 2.16.0.( > CVE-2021-45105 > <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) > > Refer : https://logging.apache.org/log4j/2.x/security.html > > Any update on this please? > > > > Regards, > > Suchithra > > > > *From:* Chesnay Schepler <ches...@apache.org> > *Sent:* Thursday, December 16, 2021 4:35 PM > *To:* Parag Somani <somanipa...@gmail.com> > *Cc:* Michael Guterl <gute...@justin.tv>; V N, Suchithra (Nokia - > IN/Bangalore) <suchithra....@nokia.com>; Richard Deurwaarder < > rich...@xeli.eu>; user <user@flink.apache.org> > *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability > > > > We will announce the releases when the binaries are available. > > > > On 16/12/2021 05:37, Parag Somani wrote: > > Thank you Chesnay for expediting this fix...! > > > > Can you suggest, when can I get binaries for 1.14.2 flink version? > > > > On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ches...@apache.org> > wrote: > > We will push docker images for all new releases, yes. > > > > On 16/12/2021 01:16, Michael Guterl wrote: > > Will you all be pushing Docker images for the 1.11.6 release? > > > > On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler <ches...@apache.org> > wrote: > > The current ETA is 40h for an official announcement. > > We are validating the release today (concludes in 16h), publish it > tonight, then wait for mirrors to be sync (about a day), then we announce > it. > > > > On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote: > > Hello, > > > > Could you please tell when we can expect Flink 1.12.7 release? We are > waiting for the CVE fix. > > > > Regards, > > Suchithra > > > > > > *From:* Chesnay Schepler <ches...@apache.org> <ches...@apache.org> > *Sent:* Wednesday, December 15, 2021 4:04 PM > *To:* Richard Deurwaarder <rich...@xeli.eu> <rich...@xeli.eu> > *Cc:* user <user@flink.apache.org> <user@flink.apache.org> > *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability > > > > We will also update the docker images. > > > > On 15/12/2021 11:29, Richard Deurwaarder wrote: > > Thanks for picking this up quickly! > > > > I saw you've made a second minor upgrade to upgrade to log4j2 2.16 which > is perfect. > > > > Just to clarify: Will you also push new docker images for these releases > as well? In particular flink 1.11.6 (Sorry we must upgrade soon! :() > > > > On Tue, Dec 14, 2021 at 2:33 AM narasimha <swamy.haj...@gmail.com> wrote: > > Thanks TImo, that was helpful. > > > > On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar < > prasannakumarram...@gmail.com> wrote: > > Chesnay Thank you for the clarification. > > > > On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ches...@apache.org> > wrote: > > The flink-shaded-zookeeper jars do not contain log4j. > > > > On 13/12/2021 14:11, Prasanna kumar wrote: > > Does Zookeeper have this vulnerability dependency ? I see references to > log4j in Shaded Zookeeper jar included as part of the flink distribution. > > > > On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <twal...@apache.org> wrote: > > While we are working to upgrade the affected dependencies of all > components, we recommend users follow the advisory of the Apache Log4j > Community. Also Ververica platform can be patched with a similar approach: > > To configure the JVMs used by Ververica Platform, you can pass custom > Java options via the JAVA_TOOL_OPTIONS environment variable. Add the > following to your platform values.yaml, or append to the existing value > of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy > the platform with Helm: > env: > - name: JAVA_TOOL_OPTIONS > value: -Dlog4j2.formatMsgNoLookups=true > > > For any questions, please contact us via our support portal. > > Regards, > Timo > > On 11.12.21 06:45, narasimha wrote: > > Folks, what about the veverica platform. Is there any > mitigation around it? > > > > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <ches...@apache.org > > <mailto:ches...@apache.org>> wrote: > > > > I would recommend to modify your log4j configurations to set > > log4j2.formatMsgNoLookups to true/./ > > / > > / > > As far as I can tell this is equivalent to upgrading log4j, which > > just disabled this lookup by default. > > / > > / > > On 10/12/2021 10:21, Richard Deurwaarder wrote: > >> Hello, > >> > >> There has been a log4j2 vulnerability made public > >> https://www.randori.com/blog/cve-2021-44228/ > >> <https://www.randori.com/blog/cve-2021-44228/> which is making > >> some waves :) > >> This post even explicitly mentions Apache Flink: > >> > https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/ > >> < > https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/ > > > >> > >> And fortunately, I saw this was already on your radar: > >> https://issues.apache.org/jira/browse/FLINK-25240 > >> <https://issues.apache.org/jira/browse/FLINK-25240> > >> > >> What would the advice be for flink users? Do you expect to push a > >> minor to fix this? Or is it advisable to upgrade to the latest > >> log4j2 version manually for now? > >> > >> Thanks for any advice! > > > > > > > > > > -- > > A.Narasimha Swamy > > > > > > > -- > > A.Narasimha Swamy > > > > > > > > > > -- > > Regards, > Parag Surajmal Somani. > > >
