Hi all, The ticket for upgrading Log4J to 2.17.0 is https://issues.apache.org/jira/browse/FLINK-25375. There's also the update to Log4j 2.17.1 which is tracked under https://issues.apache.org/jira/browse/FLINK-25472
As you can see, both have a fix version set to 1.14.3 and 1.13.6. These versions haven't been released yet. Flink 1.14.3 is in preparation, this hasn't started yet for Flink 1.13.6. Best regards, Martijn On Thu, 6 Jan 2022 at 15:05, <patrick.eif...@sony.com> wrote: > Hi, > > > > just to be sure: Which Flink Releases for 1.14 and 1.13 have the upgraded > log4j version 2.17.0? > > Are those already deployed to docker? > > > > Many Thanks in Advance. > > > > Kind Regards, > > > > Patrick > > -- > > Patrick Eifler > > > > Senior Software Engineer (BI) > > Cloud Gaming Engineering & Infrastructure > Sony Interactive Entertainment LLC > > Wilhelmstraße 118, 10963 Berlin > > > Germany > > E: patrick.eif...@sony.com > > > > *From: *David Morávek <d...@apache.org> > *Date: *Wednesday, 29. December 2021 at 09:35 > *To: *narasimha <swamy.haj...@gmail.com> > *Cc: *Debraj Manna <subharaj.ma...@gmail.com>, Martijn Visser < > mart...@ververica.com>, V N, Suchithra (Nokia - IN/Bangalore) < > suchithra....@nokia.com>, Chesnay Schepler <ches...@apache.org>, user < > user@flink.apache.org>, Michael Guterl <gute...@justin.tv>, Richard > Deurwaarder <rich...@xeli.eu>, Parag Somani <somanipa...@gmail.com> > *Subject: *Re: CVE-2021-44228 - Log4j2 vulnerability > > Please follow the above mentioned ML thread for more details. Please note > that this is a REGULAR release that is not motivated by the log4j CVE, so > the stability of the release is the more important factor then having it > out as soon as possible. > > > > D. > > > > On Mon, Dec 27, 2021 at 6:33 AM narasimha <swamy.haj...@gmail.com> wrote: > > Hi folks, > > > > When can we expect the release to be made available to the community? > > > > On Wed, Dec 22, 2021 at 3:07 PM David Morávek <d...@apache.org> wrote: > > Hi Debraj, > > > > we're currently not planning another emergency release as this CVE is not > as critical for Flink users as the previous one. However, this patch will > be included in all upcoming patch & minor releases. The patch release for > the 1.14.x branch is already in progress [1] (it may be bit delayed due to > the holiday season). > > > > [1] https://lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk > <https://urldefense.com/v3/__https:/lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hRKh5TRwA$> > > > > Best, > > D. > > > > On Wed, Dec 22, 2021 at 7:02 AM Debraj Manna <subharaj.ma...@gmail.com> > wrote: > > Any idea when can we expect > https://issues.apache.org/jira/browse/FLINK-25375 > <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$> > to be released? > > > > On Mon, Dec 20, 2021 at 8:18 PM Martijn Visser <mart...@ververica.com> > wrote: > > Hi, > > > > The status and Flink ticket for upgrading to Log4j 2.17.0 can be tracked > at https://issues.apache.org/jira/browse/FLINK-25375 > <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$> > . > > > > Best regards, > > > > Martijn > > > > On Sat, 18 Dec 2021 at 16:50, V N, Suchithra (Nokia - IN/Bangalore) < > suchithra....@nokia.com> wrote: > > Hi, > > > > It seems there is high severity vulnerability in log4j 2.16.0.( > CVE-2021-45105 > <https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQxXtq_BQ$> > ) > > Refer : https://logging.apache.org/log4j/2.x/security.html > <https://urldefense.com/v3/__https:/logging.apache.org/log4j/2.x/security.html__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hScVJh0Lw$> > > Any update on this please? > > > > Regards, > > Suchithra > > > > *From:* Chesnay Schepler <ches...@apache.org> > *Sent:* Thursday, December 16, 2021 4:35 PM > *To:* Parag Somani <somanipa...@gmail.com> > *Cc:* Michael Guterl <gute...@justin.tv>; V N, Suchithra (Nokia - > IN/Bangalore) <suchithra....@nokia.com>; Richard Deurwaarder < > rich...@xeli.eu>; user <user@flink.apache.org> > *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability > > > > We will announce the releases when the binaries are available. > > > > On 16/12/2021 05:37, Parag Somani wrote: > > Thank you Chesnay for expediting this fix...! > > > > Can you suggest, when can I get binaries for 1.14.2 flink version? > > > > On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ches...@apache.org> > wrote: > > We will push docker images for all new releases, yes. > > > > On 16/12/2021 01:16, Michael Guterl wrote: > > Will you all be pushing Docker images for the 1.11.6 release? > > > > On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler <ches...@apache.org> > wrote: > > The current ETA is 40h for an official announcement. > > We are validating the release today (concludes in 16h), publish it > tonight, then wait for mirrors to be sync (about a day), then we announce > it. > > > > On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote: > > Hello, > > > > Could you please tell when we can expect Flink 1.12.7 release? We are > waiting for the CVE fix. > > > > Regards, > > Suchithra > > > > > > *From:* Chesnay Schepler <ches...@apache.org> <ches...@apache.org> > *Sent:* Wednesday, December 15, 2021 4:04 PM > *To:* Richard Deurwaarder <rich...@xeli.eu> <rich...@xeli.eu> > *Cc:* user <user@flink.apache.org> <user@flink.apache.org> > *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability > > > > We will also update the docker images. > > > > On 15/12/2021 11:29, Richard Deurwaarder wrote: > > Thanks for picking this up quickly! > > > > I saw you've made a second minor upgrade to upgrade to log4j2 2.16 which > is perfect. > > > > Just to clarify: Will you also push new docker images for these releases > as well? In particular flink 1.11.6 (Sorry we must upgrade soon! :() > > > > On Tue, Dec 14, 2021 at 2:33 AM narasimha <swamy.haj...@gmail.com> wrote: > > Thanks TImo, that was helpful. > > > > On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar < > prasannakumarram...@gmail.com> wrote: > > Chesnay Thank you for the clarification. > > > > On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ches...@apache.org> > wrote: > > The flink-shaded-zookeeper jars do not contain log4j. > > > > On 13/12/2021 14:11, Prasanna kumar wrote: > > Does Zookeeper have this vulnerability dependency ? I see references to > log4j in Shaded Zookeeper jar included as part of the flink distribution. > > > > On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <twal...@apache.org> wrote: > > While we are working to upgrade the affected dependencies of all > components, we recommend users follow the advisory of the Apache Log4j > Community. Also Ververica platform can be patched with a similar approach: > > To configure the JVMs used by Ververica Platform, you can pass custom > Java options via the JAVA_TOOL_OPTIONS environment variable. Add the > following to your platform values.yaml, or append to the existing value > of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy > the platform with Helm: > env: > - name: JAVA_TOOL_OPTIONS > value: -Dlog4j2.formatMsgNoLookups=true > > > For any questions, please contact us via our support portal. > > Regards, > Timo > > On 11.12.21 06:45, narasimha wrote: > > Folks, what about the veverica platform. Is there any > mitigation around it? > > > > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <ches...@apache.org > > <mailto:ches...@apache.org>> wrote: > > > > I would recommend to modify your log4j configurations to set > > log4j2.formatMsgNoLookups to true/./ > > / > > / > > As far as I can tell this is equivalent to upgrading log4j, which > > just disabled this lookup by default. > > / > > / > > On 10/12/2021 10:21, Richard Deurwaarder wrote: > >> Hello, > >> > >> There has been a log4j2 vulnerability made public > >> https://www.randori.com/blog/cve-2021-44228/ > <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$> > >> <https://www.randori.com/blog/cve-2021-44228/ > <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>> > which is making > >> some waves :) > >> This post even explicitly mentions Apache Flink: > >> > https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/ > <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$> > >> < > https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/ > <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$> > > > >> > >> And fortunately, I saw this was already on your radar: > >> https://issues.apache.org/jira/browse/FLINK-25240 > <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$> > >> <https://issues.apache.org/jira/browse/FLINK-25240 > <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$> > > > >> > >> What would the advice be for flink users? Do you expect to push a > >> minor to fix this? Or is it advisable to upgrade to the latest > >> log4j2 version manually for now? > >> > >> Thanks for any advice! > > > > > > > > > > -- > > A.Narasimha Swamy > > > > > > > -- > > A.Narasimha Swamy > > > > > > > > > > -- > > Regards, > Parag Surajmal Somani. > > > > > > > -- > > A.Narasimha Swamy > >
