Any idea when can we expect https://issues.apache.org/jira/browse/FLINK-25375 to be released?
On Mon, Dec 20, 2021 at 8:18 PM Martijn Visser <mart...@ververica.com> wrote: > Hi, > > The status and Flink ticket for upgrading to Log4j 2.17.0 can be tracked > at https://issues.apache.org/jira/browse/FLINK-25375. > > Best regards, > > Martijn > > On Sat, 18 Dec 2021 at 16:50, V N, Suchithra (Nokia - IN/Bangalore) < > suchithra....@nokia.com> wrote: > >> Hi, >> >> >> >> It seems there is high severity vulnerability in log4j 2.16.0.( >> CVE-2021-45105 >> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>) >> >> Refer : https://logging.apache.org/log4j/2.x/security.html >> >> Any update on this please? >> >> >> >> Regards, >> >> Suchithra >> >> >> >> *From:* Chesnay Schepler <ches...@apache.org> >> *Sent:* Thursday, December 16, 2021 4:35 PM >> *To:* Parag Somani <somanipa...@gmail.com> >> *Cc:* Michael Guterl <gute...@justin.tv>; V N, Suchithra (Nokia - >> IN/Bangalore) <suchithra....@nokia.com>; Richard Deurwaarder < >> rich...@xeli.eu>; user <user@flink.apache.org> >> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability >> >> >> >> We will announce the releases when the binaries are available. >> >> >> >> On 16/12/2021 05:37, Parag Somani wrote: >> >> Thank you Chesnay for expediting this fix...! >> >> >> >> Can you suggest, when can I get binaries for 1.14.2 flink version? >> >> >> >> On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ches...@apache.org> >> wrote: >> >> We will push docker images for all new releases, yes. >> >> >> >> On 16/12/2021 01:16, Michael Guterl wrote: >> >> Will you all be pushing Docker images for the 1.11.6 release? >> >> >> >> On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler <ches...@apache.org> >> wrote: >> >> The current ETA is 40h for an official announcement. >> >> We are validating the release today (concludes in 16h), publish it >> tonight, then wait for mirrors to be sync (about a day), then we announce >> it. >> >> >> >> On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote: >> >> Hello, >> >> >> >> Could you please tell when we can expect Flink 1.12.7 release? We are >> waiting for the CVE fix. >> >> >> >> Regards, >> >> Suchithra >> >> >> >> >> >> *From:* Chesnay Schepler <ches...@apache.org> <ches...@apache.org> >> *Sent:* Wednesday, December 15, 2021 4:04 PM >> *To:* Richard Deurwaarder <rich...@xeli.eu> <rich...@xeli.eu> >> *Cc:* user <user@flink.apache.org> <user@flink.apache.org> >> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability >> >> >> >> We will also update the docker images. >> >> >> >> On 15/12/2021 11:29, Richard Deurwaarder wrote: >> >> Thanks for picking this up quickly! >> >> >> >> I saw you've made a second minor upgrade to upgrade to log4j2 2.16 which >> is perfect. >> >> >> >> Just to clarify: Will you also push new docker images for these releases >> as well? In particular flink 1.11.6 (Sorry we must upgrade soon! :() >> >> >> >> On Tue, Dec 14, 2021 at 2:33 AM narasimha <swamy.haj...@gmail.com> wrote: >> >> Thanks TImo, that was helpful. >> >> >> >> On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar < >> prasannakumarram...@gmail.com> wrote: >> >> Chesnay Thank you for the clarification. >> >> >> >> On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ches...@apache.org> >> wrote: >> >> The flink-shaded-zookeeper jars do not contain log4j. >> >> >> >> On 13/12/2021 14:11, Prasanna kumar wrote: >> >> Does Zookeeper have this vulnerability dependency ? I see references to >> log4j in Shaded Zookeeper jar included as part of the flink distribution. >> >> >> >> On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <twal...@apache.org> wrote: >> >> While we are working to upgrade the affected dependencies of all >> components, we recommend users follow the advisory of the Apache Log4j >> Community. Also Ververica platform can be patched with a similar approach: >> >> To configure the JVMs used by Ververica Platform, you can pass custom >> Java options via the JAVA_TOOL_OPTIONS environment variable. Add the >> following to your platform values.yaml, or append to the existing value >> of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy >> the platform with Helm: >> env: >> - name: JAVA_TOOL_OPTIONS >> value: -Dlog4j2.formatMsgNoLookups=true >> >> >> For any questions, please contact us via our support portal. >> >> Regards, >> Timo >> >> On 11.12.21 06:45, narasimha wrote: >> > Folks, what about the veverica platform. Is there any >> mitigation around it? >> > >> > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <ches...@apache.org >> > <mailto:ches...@apache.org>> wrote: >> > >> > I would recommend to modify your log4j configurations to set >> > log4j2.formatMsgNoLookups to true/./ >> > / >> > / >> > As far as I can tell this is equivalent to upgrading log4j, which >> > just disabled this lookup by default. >> > / >> > / >> > On 10/12/2021 10:21, Richard Deurwaarder wrote: >> >> Hello, >> >> >> >> There has been a log4j2 vulnerability made public >> >> https://www.randori.com/blog/cve-2021-44228/ >> >> <https://www.randori.com/blog/cve-2021-44228/> which is making >> >> some waves :) >> >> This post even explicitly mentions Apache Flink: >> >> >> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/ >> >> < >> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/ >> > >> >> >> >> And fortunately, I saw this was already on your radar: >> >> https://issues.apache.org/jira/browse/FLINK-25240 >> >> <https://issues.apache.org/jira/browse/FLINK-25240> >> >> >> >> What would the advice be for flink users? Do you expect to push a >> >> minor to fix this? Or is it advisable to upgrade to the latest >> >> log4j2 version manually for now? >> >> >> >> Thanks for any advice! >> > >> > >> > >> > >> > -- >> > A.Narasimha Swamy >> >> >> >> >> >> >> -- >> >> A.Narasimha Swamy >> >> >> >> >> >> >> >> >> >> -- >> >> Regards, >> Parag Surajmal Somani. >> >> >> >