Any idea when can we expect
https://issues.apache.org/jira/browse/FLINK-25375 to be released?

On Mon, Dec 20, 2021 at 8:18 PM Martijn Visser <mart...@ververica.com>
wrote:

> Hi,
>
> The status and Flink ticket for upgrading to Log4j 2.17.0 can be tracked
> at https://issues.apache.org/jira/browse/FLINK-25375.
>
> Best regards,
>
> Martijn
>
> On Sat, 18 Dec 2021 at 16:50, V N, Suchithra (Nokia - IN/Bangalore) <
> suchithra....@nokia.com> wrote:
>
>> Hi,
>>
>>
>>
>> It seems there is high severity vulnerability in log4j 2.16.0.(
>> CVE-2021-45105
>> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>)
>>
>> Refer : https://logging.apache.org/log4j/2.x/security.html
>>
>> Any update on this please?
>>
>>
>>
>> Regards,
>>
>> Suchithra
>>
>>
>>
>> *From:* Chesnay Schepler <ches...@apache.org>
>> *Sent:* Thursday, December 16, 2021 4:35 PM
>> *To:* Parag Somani <somanipa...@gmail.com>
>> *Cc:* Michael Guterl <gute...@justin.tv>; V N, Suchithra (Nokia -
>> IN/Bangalore) <suchithra....@nokia.com>; Richard Deurwaarder <
>> rich...@xeli.eu>; user <user@flink.apache.org>
>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>
>>
>>
>> We will announce the releases when the binaries are available.
>>
>>
>>
>> On 16/12/2021 05:37, Parag Somani wrote:
>>
>> Thank you Chesnay for expediting this fix...!
>>
>>
>>
>> Can you suggest, when can I get binaries for 1.14.2 flink version?
>>
>>
>>
>> On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ches...@apache.org>
>> wrote:
>>
>> We will push docker images for all new releases, yes.
>>
>>
>>
>> On 16/12/2021 01:16, Michael Guterl wrote:
>>
>> Will you all be pushing Docker images for the 1.11.6 release?
>>
>>
>>
>> On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler <ches...@apache.org>
>> wrote:
>>
>> The current ETA is 40h for an official announcement.
>>
>> We are validating the release today (concludes in 16h), publish it
>> tonight, then wait for mirrors to be sync (about a day), then we announce
>> it.
>>
>>
>>
>> On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote:
>>
>> Hello,
>>
>>
>>
>> Could you please tell when we can expect Flink 1.12.7 release? We are
>> waiting for the CVE fix.
>>
>>
>>
>> Regards,
>>
>> Suchithra
>>
>>
>>
>>
>>
>> *From:* Chesnay Schepler <ches...@apache.org> <ches...@apache.org>
>> *Sent:* Wednesday, December 15, 2021 4:04 PM
>> *To:* Richard Deurwaarder <rich...@xeli.eu> <rich...@xeli.eu>
>> *Cc:* user <user@flink.apache.org> <user@flink.apache.org>
>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>
>>
>>
>> We will also update the docker images.
>>
>>
>>
>> On 15/12/2021 11:29, Richard Deurwaarder wrote:
>>
>> Thanks for picking this up quickly!
>>
>>
>>
>> I saw you've made a second minor upgrade to upgrade to log4j2 2.16 which
>> is perfect.
>>
>>
>>
>> Just to clarify: Will you also push new docker images for these releases
>> as well? In particular flink 1.11.6 (Sorry we must upgrade soon! :()
>>
>>
>>
>> On Tue, Dec 14, 2021 at 2:33 AM narasimha <swamy.haj...@gmail.com> wrote:
>>
>> Thanks TImo, that was helpful.
>>
>>
>>
>> On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar <
>> prasannakumarram...@gmail.com> wrote:
>>
>> Chesnay Thank you for the clarification.
>>
>>
>>
>> On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ches...@apache.org>
>> wrote:
>>
>> The flink-shaded-zookeeper jars do not contain log4j.
>>
>>
>>
>> On 13/12/2021 14:11, Prasanna kumar wrote:
>>
>> Does Zookeeper have this vulnerability dependency ? I see references to
>> log4j in Shaded Zookeeper jar included as part of the flink distribution.
>>
>>
>>
>> On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <twal...@apache.org> wrote:
>>
>> While we are working to upgrade the affected dependencies of all
>> components, we recommend users follow the advisory of the Apache Log4j
>> Community. Also Ververica platform can be patched with a similar approach:
>>
>> To configure the JVMs used by Ververica Platform, you can pass custom
>> Java options via the JAVA_TOOL_OPTIONS environment variable. Add the
>> following to your platform values.yaml, or append to the existing value
>> of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy
>> the platform with Helm:
>> env:
>>    - name: JAVA_TOOL_OPTIONS
>>      value: -Dlog4j2.formatMsgNoLookups=true
>>
>>
>> For any questions, please contact us via our support portal.
>>
>> Regards,
>> Timo
>>
>> On 11.12.21 06:45, narasimha wrote:
>> > Folks, what about the veverica platform. Is there any
>> mitigation around it?
>> >
>> > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <ches...@apache.org
>> > <mailto:ches...@apache.org>> wrote:
>> >
>> >     I would recommend to modify your log4j configurations to set
>> >     log4j2.formatMsgNoLookups to true/./
>> >     /
>> >     /
>> >     As far as I can tell this is equivalent to upgrading log4j, which
>> >     just disabled this lookup by default.
>> >     /
>> >     /
>> >     On 10/12/2021 10:21, Richard Deurwaarder wrote:
>> >>     Hello,
>> >>
>> >>     There has been a log4j2 vulnerability made public
>> >>     https://www.randori.com/blog/cve-2021-44228/
>> >>     <https://www.randori.com/blog/cve-2021-44228/> which is making
>> >>     some waves :)
>> >>     This post even explicitly mentions Apache Flink:
>> >>
>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
>> >>     <
>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
>> >
>> >>
>> >>     And fortunately, I saw this was already on your radar:
>> >>     https://issues.apache.org/jira/browse/FLINK-25240
>> >>     <https://issues.apache.org/jira/browse/FLINK-25240>
>> >>
>> >>     What would the advice be for flink users? Do you expect to push a
>> >>     minor to fix this? Or is it advisable to upgrade to the latest
>> >>     log4j2 version manually for now?
>> >>
>> >>     Thanks for any advice!
>> >
>> >
>> >
>> >
>> > --
>> > A.Narasimha Swamy
>>
>>
>>
>>
>>
>>
>> --
>>
>> A.Narasimha Swamy
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>>
>> Regards,
>> Parag Surajmal Somani.
>>
>>
>>
>

Reply via email to