You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@flink.apache.org by Pa...@sony.com on 2022/01/06 14:03:33 UTC
Re: CVE-2021-44228 - Log4j2 vulnerability
Hi,
just to be sure: Which Flink Releases for 1.14 and 1.13 have the upgraded log4j version 2.17.0?
Are those already deployed to docker?
Many Thanks in Advance.
Kind Regards,
Patrick
--
Patrick Eifler
Senior Software Engineer (BI)
Cloud Gaming Engineering & Infrastructure
Sony Interactive Entertainment LLC
Wilhelmstraße 118, 10963 Berlin
Germany
E: patrick.eifler@sony.com
From: David Morávek <dm...@apache.org>
Date: Wednesday, 29. December 2021 at 09:35
To: narasimha <sw...@gmail.com>
Cc: Debraj Manna <su...@gmail.com>, Martijn Visser <ma...@ververica.com>, V N, Suchithra (Nokia - IN/Bangalore) <su...@nokia.com>, Chesnay Schepler <ch...@apache.org>, user <us...@flink.apache.org>, Michael Guterl <gu...@justin.tv>, Richard Deurwaarder <ri...@xeli.eu>, Parag Somani <so...@gmail.com>
Subject: Re: CVE-2021-44228 - Log4j2 vulnerability
Please follow the above mentioned ML thread for more details. Please note that this is a REGULAR release that is not motivated by the log4j CVE, so the stability of the release is the more important factor then having it out as soon as possible.
D.
On Mon, Dec 27, 2021 at 6:33 AM narasimha <sw...@gmail.com>> wrote:
Hi folks,
When can we expect the release to be made available to the community?
On Wed, Dec 22, 2021 at 3:07 PM David Morávek <dm...@apache.org>> wrote:
Hi Debraj,
we're currently not planning another emergency release as this CVE is not as critical for Flink users as the previous one. However, this patch will be included in all upcoming patch & minor releases. The patch release for the 1.14.x branch is already in progress [1] (it may be bit delayed due to the holiday season).
[1] https://lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk<https://urldefense.com/v3/__https:/lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hRKh5TRwA$>
Best,
D.
On Wed, Dec 22, 2021 at 7:02 AM Debraj Manna <su...@gmail.com>> wrote:
Any idea when can we expect https://issues.apache.org/jira/browse/FLINK-25375<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$> to be released?
On Mon, Dec 20, 2021 at 8:18 PM Martijn Visser <ma...@ververica.com>> wrote:
Hi,
The status and Flink ticket for upgrading to Log4j 2.17.0 can be tracked at https://issues.apache.org/jira/browse/FLINK-25375<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$>.
Best regards,
Martijn
On Sat, 18 Dec 2021 at 16:50, V N, Suchithra (Nokia - IN/Bangalore) <su...@nokia.com>> wrote:
Hi,
It seems there is high severity vulnerability in log4j 2.16.0.(CVE-2021-45105<https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQxXtq_BQ$>)
Refer : https://logging.apache.org/log4j/2.x/security.html<https://urldefense.com/v3/__https:/logging.apache.org/log4j/2.x/security.html__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hScVJh0Lw$>
Any update on this please?
Regards,
Suchithra
From: Chesnay Schepler <ch...@apache.org>>
Sent: Thursday, December 16, 2021 4:35 PM
To: Parag Somani <so...@gmail.com>>
Cc: Michael Guterl <gu...@justin.tv>>; V N, Suchithra (Nokia - IN/Bangalore) <su...@nokia.com>>; Richard Deurwaarder <ri...@xeli.eu>>; user <us...@flink.apache.org>>
Subject: Re: CVE-2021-44228 - Log4j2 vulnerability
We will announce the releases when the binaries are available.
On 16/12/2021 05:37, Parag Somani wrote:
Thank you Chesnay for expediting this fix...!
Can you suggest, when can I get binaries for 1.14.2 flink version?
On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ch...@apache.org>> wrote:
We will push docker images for all new releases, yes.
On 16/12/2021 01:16, Michael Guterl wrote:
Will you all be pushing Docker images for the 1.11.6 release?
On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler <ch...@apache.org>> wrote:
The current ETA is 40h for an official announcement.
We are validating the release today (concludes in 16h), publish it tonight, then wait for mirrors to be sync (about a day), then we announce it.
On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote:
Hello,
Could you please tell when we can expect Flink 1.12.7 release? We are waiting for the CVE fix.
Regards,
Suchithra
From: Chesnay Schepler <ch...@apache.org>
Sent: Wednesday, December 15, 2021 4:04 PM
To: Richard Deurwaarder <ri...@xeli.eu>
Cc: user <us...@flink.apache.org>
Subject: Re: CVE-2021-44228 - Log4j2 vulnerability
We will also update the docker images.
On 15/12/2021 11:29, Richard Deurwaarder wrote:
Thanks for picking this up quickly!
I saw you've made a second minor upgrade to upgrade to log4j2 2.16 which is perfect.
Just to clarify: Will you also push new docker images for these releases as well? In particular flink 1.11.6 (Sorry we must upgrade soon! :()
On Tue, Dec 14, 2021 at 2:33 AM narasimha <sw...@gmail.com>> wrote:
Thanks TImo, that was helpful.
On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar <pr...@gmail.com>> wrote:
Chesnay Thank you for the clarification.
On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ch...@apache.org>> wrote:
The flink-shaded-zookeeper jars do not contain log4j.
On 13/12/2021 14:11, Prasanna kumar wrote:
Does Zookeeper have this vulnerability dependency ? I see references to log4j in Shaded Zookeeper jar included as part of the flink distribution.
On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <tw...@apache.org>> wrote:
While we are working to upgrade the affected dependencies of all
components, we recommend users follow the advisory of the Apache Log4j
Community. Also Ververica platform can be patched with a similar approach:
To configure the JVMs used by Ververica Platform, you can pass custom
Java options via the JAVA_TOOL_OPTIONS environment variable. Add the
following to your platform values.yaml, or append to the existing value
of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy
the platform with Helm:
env:
- name: JAVA_TOOL_OPTIONS
value: -Dlog4j2.formatMsgNoLookups=true
For any questions, please contact us via our support portal.
Regards,
Timo
On 11.12.21 06:45, narasimha wrote:
> Folks, what about the veverica platform. Is there any mitigation around it?
>
> On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <ch...@apache.org>
> <ma...@apache.org>>> wrote:
>
> I would recommend to modify your log4j configurations to set
> log4j2.formatMsgNoLookups to true/./
> /
> /
> As far as I can tell this is equivalent to upgrading log4j, which
> just disabled this lookup by default.
> /
> /
> On 10/12/2021 10:21, Richard Deurwaarder wrote:
>> Hello,
>>
>> There has been a log4j2 vulnerability made public
>> https://www.randori.com/blog/cve-2021-44228/<https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>
>> <https://www.randori.com/blog/cve-2021-44228/<https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>> which is making
>> some waves :)
>> This post even explicitly mentions Apache Flink:
>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/<https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>
>> <https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/<https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>>
>>
>> And fortunately, I saw this was already on your radar:
>> https://issues.apache.org/jira/browse/FLINK-25240<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>
>> <https://issues.apache.org/jira/browse/FLINK-25240<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>>
>>
>> What would the advice be for flink users? Do you expect to push a
>> minor to fix this? Or is it advisable to upgrade to the latest
>> log4j2 version manually for now?
>>
>> Thanks for any advice!
>
>
>
>
> --
> A.Narasimha Swamy
--
A.Narasimha Swamy
--
Regards,
Parag Surajmal Somani.
--
A.Narasimha Swamy
Re: CVE-2021-44228 - Log4j2 vulnerability
Posted by Francis Conroy <fr...@switchdin.com>.
The release notification email came out a few days ago.
On Mon, 21 Feb 2022 at 14:18, Surendra Lalwani <su...@swiggy.in>
wrote:
> Hi Team,
>
> Any updates on Flink 1.13.6 version release?
>
> Regards,
> Surendra Lalwani
>
>
> On Fri, Feb 4, 2022 at 1:23 PM Martijn Visser <ma...@ververica.com>
> wrote:
>
>> Hi Surendra,
>>
>> You can follow the discussion on this topic in the Dev mailing list [1].
>> I would expect it in the next couple of weeks.
>>
>> Best regards,
>>
>> Martijn
>>
>> [1] https://lists.apache.org/thread/n417406j125n080vopljgfflc45yygh4
>>
>> On Fri, 4 Feb 2022 at 08:49, Surendra Lalwani <su...@swiggy.in>
>> wrote:
>>
>>> Hi Team,
>>>
>>> Any ETA on Flink version 1.13.6 release.
>>>
>>> Thanks and Regards ,
>>> Surendra Lalwani
>>>
>>>
>>> On Sun, Jan 9, 2022 at 3:50 PM David Morávek <dm...@apache.org> wrote:
>>>
>>>> Flink community officially only supports current and previous minor
>>>> versions [1] (1.13, 1.14) with bug fixes. Personally I wouldn’t expect
>>>> there will be another patch release for 1.12.
>>>>
>>>> If you really need an extra release for the unsupported version, the
>>>> most straightforward approach would be manually building the Flink
>>>> distribution from sources [2] with the patches you need.
>>>>
>>>> [1]
>>>> https://flink.apache.org/downloads.html#update-policy-for-old-releases
>>>> [2]
>>>>
>>>> https://github.com/apache/flink/tree/release-1.12#building-apache-flink-from-source
>>>>
>>>> D.
>>>>
>>>> On Sun 9. 1. 2022 at 10:10, V N, Suchithra (Nokia - IN/Bangalore) <
>>>> suchithra.v_n@nokia.com> wrote:
>>>>
>>>>> Hi David,
>>>>>
>>>>>
>>>>>
>>>>> As per the below comments, Flink 1.14.3 is in preparation and this
>>>>> hasn't started yet for Flink 1.13.6. Flink 1.12.8 release will be
>>>>> planned after this? If there is no current plan, could you please let us
>>>>> know what will be the regular release timing for 1.12.8 version.
>>>>>
>>>>>
>>>>>
>>>>> Regards,
>>>>>
>>>>> Suchithra
>>>>>
>>>>>
>>>>>
>>>>> *From:* David Morávek <dm...@apache.org>
>>>>> *Sent:* Sunday, January 9, 2022 12:11 AM
>>>>> *To:* V N, Suchithra (Nokia - IN/Bangalore) <su...@nokia.com>
>>>>> *Cc:* Chesnay Schepler <ch...@apache.org>; Martijn Visser <
>>>>> martijn@ververica.com>; Michael Guterl <gu...@justin.tv>; Parag
>>>>> Somani <so...@gmail.com>; Patrick.Eifler@sony.com; Richard
>>>>> Deurwaarder <ri...@xeli.eu>; User <us...@flink.apache.org>;
>>>>> subharaj.manna@gmail.com; swamy.hajeed@gmail.com
>>>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>>>>
>>>>>
>>>>>
>>>>> Hi Suchithra,
>>>>>
>>>>>
>>>>>
>>>>> there is currently no plan on doing another 1.12 release
>>>>>
>>>>>
>>>>>
>>>>> D.
>>>>>
>>>>>
>>>>>
>>>>> On Sat 8. 1. 2022 at 18:02, V N, Suchithra (Nokia - IN/Bangalore) <
>>>>> suchithra.v_n@nokia.com> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>>
>>>>>
>>>>> When can we expect the flink 1.12 releases with log4j 2.17.1?
>>>>>
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Suchithra
>>>>>
>>>>>
>>>>>
>>>>> *From:* Martijn Visser <ma...@ververica.com>
>>>>> *Sent:* Thursday, January 6, 2022 7:45 PM
>>>>> *To:* Patrick.Eifler@sony.com
>>>>> *Cc:* David Morávek <dm...@apache.org>; swamy.hajeed@gmail.com;
>>>>> subharaj.manna@gmail.com; V N, Suchithra (Nokia - IN/Bangalore) <
>>>>> suchithra.v_n@nokia.com>; Chesnay Schepler <ch...@apache.org>; User
>>>>> <us...@flink.apache.org>; Michael Guterl <gu...@justin.tv>; Richard
>>>>> Deurwaarder <ri...@xeli.eu>; Parag Somani <so...@gmail.com>
>>>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>>>>
>>>>>
>>>>>
>>>>> Hi all,
>>>>>
>>>>>
>>>>>
>>>>> The ticket for upgrading Log4J to 2.17.0 is
>>>>> https://issues.apache.org/jira/browse/FLINK-25375. There's also the
>>>>> update to Log4j 2.17.1 which is tracked under
>>>>> https://issues.apache.org/jira/browse/FLINK-25472
>>>>>
>>>>>
>>>>>
>>>>> As you can see, both have a fix version set to 1.14.3 and 1.13.6.
>>>>> These versions haven't been released yet. Flink 1.14.3 is in preparation,
>>>>> this hasn't started yet for Flink 1.13.6.
>>>>>
>>>>>
>>>>>
>>>>> Best regards,
>>>>>
>>>>>
>>>>>
>>>>> Martijn
>>>>>
>>>>>
>>>>>
>>>>> On Thu, 6 Jan 2022 at 15:05, <Pa...@sony.com> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>>
>>>>>
>>>>> just to be sure: Which Flink Releases for 1.14 and 1.13 have the
>>>>> upgraded log4j version 2.17.0?
>>>>>
>>>>> Are those already deployed to docker?
>>>>>
>>>>>
>>>>>
>>>>> Many Thanks in Advance.
>>>>>
>>>>>
>>>>>
>>>>> Kind Regards,
>>>>>
>>>>>
>>>>>
>>>>> Patrick
>>>>>
>>>>> --
>>>>>
>>>>> Patrick Eifler
>>>>>
>>>>>
>>>>>
>>>>> Senior Software Engineer (BI)
>>>>>
>>>>> Cloud Gaming Engineering & Infrastructure
>>>>> Sony Interactive Entertainment LLC
>>>>>
>>>>> Wilhelmstraße 118, 10963 Berlin
>>>>>
>>>>>
>>>>> Germany
>>>>>
>>>>> E: patrick.eifler@sony.com
>>>>>
>>>>>
>>>>>
>>>>> *From: *David Morávek <dm...@apache.org>
>>>>> *Date: *Wednesday, 29. December 2021 at 09:35
>>>>> *To: *narasimha <sw...@gmail.com>
>>>>> *Cc: *Debraj Manna <su...@gmail.com>, Martijn Visser <
>>>>> martijn@ververica.com>, V N, Suchithra (Nokia - IN/Bangalore) <
>>>>> suchithra.v_n@nokia.com>, Chesnay Schepler <ch...@apache.org>, user
>>>>> <us...@flink.apache.org>, Michael Guterl <gu...@justin.tv>, Richard
>>>>> Deurwaarder <ri...@xeli.eu>, Parag Somani <so...@gmail.com>
>>>>> *Subject: *Re: CVE-2021-44228 - Log4j2 vulnerability
>>>>>
>>>>> Please follow the above mentioned ML thread for more details. Please
>>>>> note that this is a REGULAR release that is not motivated by the log4j CVE,
>>>>> so the stability of the release is the more important factor then having it
>>>>> out as soon as possible.
>>>>>
>>>>>
>>>>>
>>>>> D.
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Dec 27, 2021 at 6:33 AM narasimha <sw...@gmail.com>
>>>>> wrote:
>>>>>
>>>>> Hi folks,
>>>>>
>>>>>
>>>>>
>>>>> When can we expect the release to be made available to the community?
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Dec 22, 2021 at 3:07 PM David Morávek <dm...@apache.org> wrote:
>>>>>
>>>>> Hi Debraj,
>>>>>
>>>>>
>>>>>
>>>>> we're currently not planning another emergency release as this CVE is
>>>>> not as critical for Flink users as the previous one. However, this patch
>>>>> will be included in all upcoming patch & minor releases. The patch release
>>>>> for the 1.14.x branch is already in progress [1] (it may be bit delayed due
>>>>> to the holiday season).
>>>>>
>>>>>
>>>>>
>>>>> [1] https://lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk
>>>>> <https://urldefense.com/v3/__https:/lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hRKh5TRwA$>
>>>>>
>>>>>
>>>>>
>>>>> Best,
>>>>>
>>>>> D.
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Dec 22, 2021 at 7:02 AM Debraj Manna <su...@gmail.com>
>>>>> wrote:
>>>>>
>>>>> Any idea when can we expect
>>>>> https://issues.apache.org/jira/browse/FLINK-25375
>>>>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$>
>>>>> to be released?
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Dec 20, 2021 at 8:18 PM Martijn Visser <ma...@ververica.com>
>>>>> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>>
>>>>>
>>>>> The status and Flink ticket for upgrading to Log4j 2.17.0 can be
>>>>> tracked at https://issues.apache.org/jira/browse/FLINK-25375
>>>>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$>
>>>>> .
>>>>>
>>>>>
>>>>>
>>>>> Best regards,
>>>>>
>>>>>
>>>>>
>>>>> Martijn
>>>>>
>>>>>
>>>>>
>>>>> On Sat, 18 Dec 2021 at 16:50, V N, Suchithra (Nokia - IN/Bangalore) <
>>>>> suchithra.v_n@nokia.com> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>>
>>>>>
>>>>> It seems there is high severity vulnerability in log4j 2.16.0.(
>>>>> CVE-2021-45105
>>>>> <https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQxXtq_BQ$>
>>>>> )
>>>>>
>>>>> Refer : https://logging.apache.org/log4j/2.x/security.html
>>>>> <https://urldefense.com/v3/__https:/logging.apache.org/log4j/2.x/security.html__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hScVJh0Lw$>
>>>>>
>>>>> Any update on this please?
>>>>>
>>>>>
>>>>>
>>>>> Regards,
>>>>>
>>>>> Suchithra
>>>>>
>>>>>
>>>>>
>>>>> *From:* Chesnay Schepler <ch...@apache.org>
>>>>> *Sent:* Thursday, December 16, 2021 4:35 PM
>>>>> *To:* Parag Somani <so...@gmail.com>
>>>>> *Cc:* Michael Guterl <gu...@justin.tv>; V N, Suchithra (Nokia -
>>>>> IN/Bangalore) <su...@nokia.com>; Richard Deurwaarder <
>>>>> richard@xeli.eu>; user <us...@flink.apache.org>
>>>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>>>>
>>>>>
>>>>>
>>>>> We will announce the releases when the binaries are available.
>>>>>
>>>>>
>>>>>
>>>>> On 16/12/2021 05:37, Parag Somani wrote:
>>>>>
>>>>> Thank you Chesnay for expediting this fix...!
>>>>>
>>>>>
>>>>>
>>>>> Can you suggest, when can I get binaries for 1.14.2 flink version?
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ch...@apache.org>
>>>>> wrote:
>>>>>
>>>>> We will push docker images for all new releases, yes.
>>>>>
>>>>>
>>>>>
>>>>> On 16/12/2021 01:16, Michael Guterl wrote:
>>>>>
>>>>> Will you all be pushing Docker images for the 1.11.6 release?
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler <ch...@apache.org>
>>>>> wrote:
>>>>>
>>>>> The current ETA is 40h for an official announcement.
>>>>>
>>>>> We are validating the release today (concludes in 16h), publish it
>>>>> tonight, then wait for mirrors to be sync (about a day), then we announce
>>>>> it.
>>>>>
>>>>>
>>>>>
>>>>> On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote:
>>>>>
>>>>> Hello,
>>>>>
>>>>>
>>>>>
>>>>> Could you please tell when we can expect Flink 1.12.7 release? We are
>>>>> waiting for the CVE fix.
>>>>>
>>>>>
>>>>>
>>>>> Regards,
>>>>>
>>>>> Suchithra
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *From:* Chesnay Schepler <ch...@apache.org> <ch...@apache.org>
>>>>> *Sent:* Wednesday, December 15, 2021 4:04 PM
>>>>> *To:* Richard Deurwaarder <ri...@xeli.eu> <ri...@xeli.eu>
>>>>> *Cc:* user <us...@flink.apache.org> <us...@flink.apache.org>
>>>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>>>>
>>>>>
>>>>>
>>>>> We will also update the docker images.
>>>>>
>>>>>
>>>>>
>>>>> On 15/12/2021 11:29, Richard Deurwaarder wrote:
>>>>>
>>>>> Thanks for picking this up quickly!
>>>>>
>>>>>
>>>>>
>>>>> I saw you've made a second minor upgrade to upgrade to log4j2 2.16
>>>>> which is perfect.
>>>>>
>>>>>
>>>>>
>>>>> Just to clarify: Will you also push new docker images for these
>>>>> releases as well? In particular flink 1.11.6 (Sorry we must upgrade soon!
>>>>> :()
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Dec 14, 2021 at 2:33 AM narasimha <sw...@gmail.com>
>>>>> wrote:
>>>>>
>>>>> Thanks TImo, that was helpful.
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar <
>>>>> prasannakumarramani@gmail.com> wrote:
>>>>>
>>>>> Chesnay Thank you for the clarification.
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ch...@apache.org>
>>>>> wrote:
>>>>>
>>>>> The flink-shaded-zookeeper jars do not contain log4j.
>>>>>
>>>>>
>>>>>
>>>>> On 13/12/2021 14:11, Prasanna kumar wrote:
>>>>>
>>>>> Does Zookeeper have this vulnerability dependency ? I see references
>>>>> to log4j in Shaded Zookeeper jar included as part of the flink
>>>>> distribution.
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <tw...@apache.org>
>>>>> wrote:
>>>>>
>>>>> While we are working to upgrade the affected dependencies of all
>>>>> components, we recommend users follow the advisory of the Apache Log4j
>>>>> Community. Also Ververica platform can be patched with a similar
>>>>> approach:
>>>>>
>>>>> To configure the JVMs used by Ververica Platform, you can pass custom
>>>>> Java options via the JAVA_TOOL_OPTIONS environment variable. Add the
>>>>> following to your platform values.yaml, or append to the existing
>>>>> value
>>>>> of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy
>>>>> the platform with Helm:
>>>>> env:
>>>>> - name: JAVA_TOOL_OPTIONS
>>>>> value: -Dlog4j2.formatMsgNoLookups=true
>>>>>
>>>>>
>>>>> For any questions, please contact us via our support portal.
>>>>>
>>>>> Regards,
>>>>> Timo
>>>>>
>>>>> On 11.12.21 06:45, narasimha wrote:
>>>>> > Folks, what about the veverica platform. Is there any
>>>>> mitigation around it?
>>>>> >
>>>>> > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <chesnay@apache.org
>>>>> > <ma...@apache.org>> wrote:
>>>>> >
>>>>> > I would recommend to modify your log4j configurations to set
>>>>> > log4j2.formatMsgNoLookups to true/./
>>>>> > /
>>>>> > /
>>>>> > As far as I can tell this is equivalent to upgrading log4j, which
>>>>> > just disabled this lookup by default.
>>>>> > /
>>>>> > /
>>>>> > On 10/12/2021 10:21, Richard Deurwaarder wrote:
>>>>> >> Hello,
>>>>> >>
>>>>> >> There has been a log4j2 vulnerability made public
>>>>> >> https://www.randori.com/blog/cve-2021-44228/
>>>>> <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>
>>>>> >> <https://www.randori.com/blog/cve-2021-44228/
>>>>> <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>>
>>>>> which is making
>>>>> >> some waves :)
>>>>> >> This post even explicitly mentions Apache Flink:
>>>>> >>
>>>>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
>>>>> <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>
>>>>> >> <
>>>>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
>>>>> <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>
>>>>> >
>>>>> >>
>>>>> >> And fortunately, I saw this was already on your radar:
>>>>> >> https://issues.apache.org/jira/browse/FLINK-25240
>>>>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>
>>>>> >> <https://issues.apache.org/jira/browse/FLINK-25240
>>>>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>
>>>>> >
>>>>> >>
>>>>> >> What would the advice be for flink users? Do you expect to push
>>>>> a
>>>>> >> minor to fix this? Or is it advisable to upgrade to the latest
>>>>> >> log4j2 version manually for now?
>>>>> >>
>>>>> >> Thanks for any advice!
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> > --
>>>>> > A.Narasimha Swamy
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> A.Narasimha Swamy
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Regards,
>>>>> Parag Surajmal Somani.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> A.Narasimha Swamy
>>>>>
>>>>>
>>>
>>> ------------------------------
>>> IMPORTANT NOTICE: This e-mail, including any attachments, may contain
>>> confidential information and is intended only for the addressee(s) named
>>> above. If you are not the intended recipient(s), you should not
>>> disseminate, distribute, or copy this e-mail. Please notify the sender by
>>> reply e-mail immediately if you have received this e-mail in error and
>>> permanently delete all copies of the original message from your system.
>>> E-mail transmission cannot be guaranteed to be secure as it could be
>>> intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
>>> contain viruses. Company accepts no liability for any damage or loss of
>>> confidential information caused by this email or due to any virus
>>> transmitted by this email or otherwise.
>>
>>
>
> ------------------------------
> IMPORTANT NOTICE: This e-mail, including any attachments, may contain
> confidential information and is intended only for the addressee(s) named
> above. If you are not the intended recipient(s), you should not
> disseminate, distribute, or copy this e-mail. Please notify the sender by
> reply e-mail immediately if you have received this e-mail in error and
> permanently delete all copies of the original message from your system.
> E-mail transmission cannot be guaranteed to be secure as it could be
> intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
> contain viruses. Company accepts no liability for any damage or loss of
> confidential information caused by this email or due to any virus
> transmitted by this email or otherwise.
--
This email and any attachments are proprietary and confidential and are
intended solely for the use of the individual to whom it is addressed. Any
views or opinions expressed are solely those of the author and do not
necessarily reflect or represent those of SwitchDin Pty Ltd. If you have
received this email in error, please let us know immediately by reply email
and delete it from your system. You may not use, disseminate, distribute or
copy this message nor disclose its contents to anyone.
SwitchDin Pty Ltd
(ABN 29 154893857) PO Box 1165, Newcastle NSW 2300 Australia
Re: CVE-2021-44228 - Log4j2 vulnerability
Posted by Surendra Lalwani <su...@swiggy.in>.
Hi Team,
Any updates on Flink 1.13.6 version release?
Regards,
Surendra Lalwani
On Fri, Feb 4, 2022 at 1:23 PM Martijn Visser <ma...@ververica.com> wrote:
> Hi Surendra,
>
> You can follow the discussion on this topic in the Dev mailing list [1]. I
> would expect it in the next couple of weeks.
>
> Best regards,
>
> Martijn
>
> [1] https://lists.apache.org/thread/n417406j125n080vopljgfflc45yygh4
>
> On Fri, 4 Feb 2022 at 08:49, Surendra Lalwani <su...@swiggy.in>
> wrote:
>
>> Hi Team,
>>
>> Any ETA on Flink version 1.13.6 release.
>>
>> Thanks and Regards ,
>> Surendra Lalwani
>>
>>
>> On Sun, Jan 9, 2022 at 3:50 PM David Morávek <dm...@apache.org> wrote:
>>
>>> Flink community officially only supports current and previous minor
>>> versions [1] (1.13, 1.14) with bug fixes. Personally I wouldn’t expect
>>> there will be another patch release for 1.12.
>>>
>>> If you really need an extra release for the unsupported version, the
>>> most straightforward approach would be manually building the Flink
>>> distribution from sources [2] with the patches you need.
>>>
>>> [1]
>>> https://flink.apache.org/downloads.html#update-policy-for-old-releases
>>> [2]
>>>
>>> https://github.com/apache/flink/tree/release-1.12#building-apache-flink-from-source
>>>
>>> D.
>>>
>>> On Sun 9. 1. 2022 at 10:10, V N, Suchithra (Nokia - IN/Bangalore) <
>>> suchithra.v_n@nokia.com> wrote:
>>>
>>>> Hi David,
>>>>
>>>>
>>>>
>>>> As per the below comments, Flink 1.14.3 is in preparation and this
>>>> hasn't started yet for Flink 1.13.6. Flink 1.12.8 release will be
>>>> planned after this? If there is no current plan, could you please let us
>>>> know what will be the regular release timing for 1.12.8 version.
>>>>
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Suchithra
>>>>
>>>>
>>>>
>>>> *From:* David Morávek <dm...@apache.org>
>>>> *Sent:* Sunday, January 9, 2022 12:11 AM
>>>> *To:* V N, Suchithra (Nokia - IN/Bangalore) <su...@nokia.com>
>>>> *Cc:* Chesnay Schepler <ch...@apache.org>; Martijn Visser <
>>>> martijn@ververica.com>; Michael Guterl <gu...@justin.tv>; Parag
>>>> Somani <so...@gmail.com>; Patrick.Eifler@sony.com; Richard
>>>> Deurwaarder <ri...@xeli.eu>; User <us...@flink.apache.org>;
>>>> subharaj.manna@gmail.com; swamy.hajeed@gmail.com
>>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>>>
>>>>
>>>>
>>>> Hi Suchithra,
>>>>
>>>>
>>>>
>>>> there is currently no plan on doing another 1.12 release
>>>>
>>>>
>>>>
>>>> D.
>>>>
>>>>
>>>>
>>>> On Sat 8. 1. 2022 at 18:02, V N, Suchithra (Nokia - IN/Bangalore) <
>>>> suchithra.v_n@nokia.com> wrote:
>>>>
>>>> Hi,
>>>>
>>>>
>>>>
>>>> When can we expect the flink 1.12 releases with log4j 2.17.1?
>>>>
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Suchithra
>>>>
>>>>
>>>>
>>>> *From:* Martijn Visser <ma...@ververica.com>
>>>> *Sent:* Thursday, January 6, 2022 7:45 PM
>>>> *To:* Patrick.Eifler@sony.com
>>>> *Cc:* David Morávek <dm...@apache.org>; swamy.hajeed@gmail.com;
>>>> subharaj.manna@gmail.com; V N, Suchithra (Nokia - IN/Bangalore) <
>>>> suchithra.v_n@nokia.com>; Chesnay Schepler <ch...@apache.org>; User <
>>>> user@flink.apache.org>; Michael Guterl <gu...@justin.tv>; Richard
>>>> Deurwaarder <ri...@xeli.eu>; Parag Somani <so...@gmail.com>
>>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>>>
>>>>
>>>>
>>>> Hi all,
>>>>
>>>>
>>>>
>>>> The ticket for upgrading Log4J to 2.17.0 is
>>>> https://issues.apache.org/jira/browse/FLINK-25375. There's also the
>>>> update to Log4j 2.17.1 which is tracked under
>>>> https://issues.apache.org/jira/browse/FLINK-25472
>>>>
>>>>
>>>>
>>>> As you can see, both have a fix version set to 1.14.3 and 1.13.6. These
>>>> versions haven't been released yet. Flink 1.14.3 is in preparation, this
>>>> hasn't started yet for Flink 1.13.6.
>>>>
>>>>
>>>>
>>>> Best regards,
>>>>
>>>>
>>>>
>>>> Martijn
>>>>
>>>>
>>>>
>>>> On Thu, 6 Jan 2022 at 15:05, <Pa...@sony.com> wrote:
>>>>
>>>> Hi,
>>>>
>>>>
>>>>
>>>> just to be sure: Which Flink Releases for 1.14 and 1.13 have the
>>>> upgraded log4j version 2.17.0?
>>>>
>>>> Are those already deployed to docker?
>>>>
>>>>
>>>>
>>>> Many Thanks in Advance.
>>>>
>>>>
>>>>
>>>> Kind Regards,
>>>>
>>>>
>>>>
>>>> Patrick
>>>>
>>>> --
>>>>
>>>> Patrick Eifler
>>>>
>>>>
>>>>
>>>> Senior Software Engineer (BI)
>>>>
>>>> Cloud Gaming Engineering & Infrastructure
>>>> Sony Interactive Entertainment LLC
>>>>
>>>> Wilhelmstraße 118, 10963 Berlin
>>>>
>>>>
>>>> Germany
>>>>
>>>> E: patrick.eifler@sony.com
>>>>
>>>>
>>>>
>>>> *From: *David Morávek <dm...@apache.org>
>>>> *Date: *Wednesday, 29. December 2021 at 09:35
>>>> *To: *narasimha <sw...@gmail.com>
>>>> *Cc: *Debraj Manna <su...@gmail.com>, Martijn Visser <
>>>> martijn@ververica.com>, V N, Suchithra (Nokia - IN/Bangalore) <
>>>> suchithra.v_n@nokia.com>, Chesnay Schepler <ch...@apache.org>, user <
>>>> user@flink.apache.org>, Michael Guterl <gu...@justin.tv>, Richard
>>>> Deurwaarder <ri...@xeli.eu>, Parag Somani <so...@gmail.com>
>>>> *Subject: *Re: CVE-2021-44228 - Log4j2 vulnerability
>>>>
>>>> Please follow the above mentioned ML thread for more details. Please
>>>> note that this is a REGULAR release that is not motivated by the log4j CVE,
>>>> so the stability of the release is the more important factor then having it
>>>> out as soon as possible.
>>>>
>>>>
>>>>
>>>> D.
>>>>
>>>>
>>>>
>>>> On Mon, Dec 27, 2021 at 6:33 AM narasimha <sw...@gmail.com>
>>>> wrote:
>>>>
>>>> Hi folks,
>>>>
>>>>
>>>>
>>>> When can we expect the release to be made available to the community?
>>>>
>>>>
>>>>
>>>> On Wed, Dec 22, 2021 at 3:07 PM David Morávek <dm...@apache.org> wrote:
>>>>
>>>> Hi Debraj,
>>>>
>>>>
>>>>
>>>> we're currently not planning another emergency release as this CVE is
>>>> not as critical for Flink users as the previous one. However, this patch
>>>> will be included in all upcoming patch & minor releases. The patch release
>>>> for the 1.14.x branch is already in progress [1] (it may be bit delayed due
>>>> to the holiday season).
>>>>
>>>>
>>>>
>>>> [1] https://lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk
>>>> <https://urldefense.com/v3/__https:/lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hRKh5TRwA$>
>>>>
>>>>
>>>>
>>>> Best,
>>>>
>>>> D.
>>>>
>>>>
>>>>
>>>> On Wed, Dec 22, 2021 at 7:02 AM Debraj Manna <su...@gmail.com>
>>>> wrote:
>>>>
>>>> Any idea when can we expect
>>>> https://issues.apache.org/jira/browse/FLINK-25375
>>>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$>
>>>> to be released?
>>>>
>>>>
>>>>
>>>> On Mon, Dec 20, 2021 at 8:18 PM Martijn Visser <ma...@ververica.com>
>>>> wrote:
>>>>
>>>> Hi,
>>>>
>>>>
>>>>
>>>> The status and Flink ticket for upgrading to Log4j 2.17.0 can be
>>>> tracked at https://issues.apache.org/jira/browse/FLINK-25375
>>>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$>
>>>> .
>>>>
>>>>
>>>>
>>>> Best regards,
>>>>
>>>>
>>>>
>>>> Martijn
>>>>
>>>>
>>>>
>>>> On Sat, 18 Dec 2021 at 16:50, V N, Suchithra (Nokia - IN/Bangalore) <
>>>> suchithra.v_n@nokia.com> wrote:
>>>>
>>>> Hi,
>>>>
>>>>
>>>>
>>>> It seems there is high severity vulnerability in log4j 2.16.0.(
>>>> CVE-2021-45105
>>>> <https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQxXtq_BQ$>
>>>> )
>>>>
>>>> Refer : https://logging.apache.org/log4j/2.x/security.html
>>>> <https://urldefense.com/v3/__https:/logging.apache.org/log4j/2.x/security.html__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hScVJh0Lw$>
>>>>
>>>> Any update on this please?
>>>>
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Suchithra
>>>>
>>>>
>>>>
>>>> *From:* Chesnay Schepler <ch...@apache.org>
>>>> *Sent:* Thursday, December 16, 2021 4:35 PM
>>>> *To:* Parag Somani <so...@gmail.com>
>>>> *Cc:* Michael Guterl <gu...@justin.tv>; V N, Suchithra (Nokia -
>>>> IN/Bangalore) <su...@nokia.com>; Richard Deurwaarder <
>>>> richard@xeli.eu>; user <us...@flink.apache.org>
>>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>>>
>>>>
>>>>
>>>> We will announce the releases when the binaries are available.
>>>>
>>>>
>>>>
>>>> On 16/12/2021 05:37, Parag Somani wrote:
>>>>
>>>> Thank you Chesnay for expediting this fix...!
>>>>
>>>>
>>>>
>>>> Can you suggest, when can I get binaries for 1.14.2 flink version?
>>>>
>>>>
>>>>
>>>> On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ch...@apache.org>
>>>> wrote:
>>>>
>>>> We will push docker images for all new releases, yes.
>>>>
>>>>
>>>>
>>>> On 16/12/2021 01:16, Michael Guterl wrote:
>>>>
>>>> Will you all be pushing Docker images for the 1.11.6 release?
>>>>
>>>>
>>>>
>>>> On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler <ch...@apache.org>
>>>> wrote:
>>>>
>>>> The current ETA is 40h for an official announcement.
>>>>
>>>> We are validating the release today (concludes in 16h), publish it
>>>> tonight, then wait for mirrors to be sync (about a day), then we announce
>>>> it.
>>>>
>>>>
>>>>
>>>> On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote:
>>>>
>>>> Hello,
>>>>
>>>>
>>>>
>>>> Could you please tell when we can expect Flink 1.12.7 release? We are
>>>> waiting for the CVE fix.
>>>>
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Suchithra
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *From:* Chesnay Schepler <ch...@apache.org> <ch...@apache.org>
>>>> *Sent:* Wednesday, December 15, 2021 4:04 PM
>>>> *To:* Richard Deurwaarder <ri...@xeli.eu> <ri...@xeli.eu>
>>>> *Cc:* user <us...@flink.apache.org> <us...@flink.apache.org>
>>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>>>
>>>>
>>>>
>>>> We will also update the docker images.
>>>>
>>>>
>>>>
>>>> On 15/12/2021 11:29, Richard Deurwaarder wrote:
>>>>
>>>> Thanks for picking this up quickly!
>>>>
>>>>
>>>>
>>>> I saw you've made a second minor upgrade to upgrade to log4j2 2.16
>>>> which is perfect.
>>>>
>>>>
>>>>
>>>> Just to clarify: Will you also push new docker images for these
>>>> releases as well? In particular flink 1.11.6 (Sorry we must upgrade soon!
>>>> :()
>>>>
>>>>
>>>>
>>>> On Tue, Dec 14, 2021 at 2:33 AM narasimha <sw...@gmail.com>
>>>> wrote:
>>>>
>>>> Thanks TImo, that was helpful.
>>>>
>>>>
>>>>
>>>> On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar <
>>>> prasannakumarramani@gmail.com> wrote:
>>>>
>>>> Chesnay Thank you for the clarification.
>>>>
>>>>
>>>>
>>>> On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ch...@apache.org>
>>>> wrote:
>>>>
>>>> The flink-shaded-zookeeper jars do not contain log4j.
>>>>
>>>>
>>>>
>>>> On 13/12/2021 14:11, Prasanna kumar wrote:
>>>>
>>>> Does Zookeeper have this vulnerability dependency ? I see references to
>>>> log4j in Shaded Zookeeper jar included as part of the flink distribution.
>>>>
>>>>
>>>>
>>>> On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <tw...@apache.org>
>>>> wrote:
>>>>
>>>> While we are working to upgrade the affected dependencies of all
>>>> components, we recommend users follow the advisory of the Apache Log4j
>>>> Community. Also Ververica platform can be patched with a similar
>>>> approach:
>>>>
>>>> To configure the JVMs used by Ververica Platform, you can pass custom
>>>> Java options via the JAVA_TOOL_OPTIONS environment variable. Add the
>>>> following to your platform values.yaml, or append to the existing value
>>>> of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy
>>>> the platform with Helm:
>>>> env:
>>>> - name: JAVA_TOOL_OPTIONS
>>>> value: -Dlog4j2.formatMsgNoLookups=true
>>>>
>>>>
>>>> For any questions, please contact us via our support portal.
>>>>
>>>> Regards,
>>>> Timo
>>>>
>>>> On 11.12.21 06:45, narasimha wrote:
>>>> > Folks, what about the veverica platform. Is there any
>>>> mitigation around it?
>>>> >
>>>> > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <chesnay@apache.org
>>>> > <ma...@apache.org>> wrote:
>>>> >
>>>> > I would recommend to modify your log4j configurations to set
>>>> > log4j2.formatMsgNoLookups to true/./
>>>> > /
>>>> > /
>>>> > As far as I can tell this is equivalent to upgrading log4j, which
>>>> > just disabled this lookup by default.
>>>> > /
>>>> > /
>>>> > On 10/12/2021 10:21, Richard Deurwaarder wrote:
>>>> >> Hello,
>>>> >>
>>>> >> There has been a log4j2 vulnerability made public
>>>> >> https://www.randori.com/blog/cve-2021-44228/
>>>> <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>
>>>> >> <https://www.randori.com/blog/cve-2021-44228/
>>>> <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>>
>>>> which is making
>>>> >> some waves :)
>>>> >> This post even explicitly mentions Apache Flink:
>>>> >>
>>>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
>>>> <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>
>>>> >> <
>>>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
>>>> <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>
>>>> >
>>>> >>
>>>> >> And fortunately, I saw this was already on your radar:
>>>> >> https://issues.apache.org/jira/browse/FLINK-25240
>>>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>
>>>> >> <https://issues.apache.org/jira/browse/FLINK-25240
>>>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>
>>>> >
>>>> >>
>>>> >> What would the advice be for flink users? Do you expect to push a
>>>> >> minor to fix this? Or is it advisable to upgrade to the latest
>>>> >> log4j2 version manually for now?
>>>> >>
>>>> >> Thanks for any advice!
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > A.Narasimha Swamy
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> A.Narasimha Swamy
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Regards,
>>>> Parag Surajmal Somani.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> A.Narasimha Swamy
>>>>
>>>>
>>
>> ------------------------------
>> IMPORTANT NOTICE: This e-mail, including any attachments, may contain
>> confidential information and is intended only for the addressee(s) named
>> above. If you are not the intended recipient(s), you should not
>> disseminate, distribute, or copy this e-mail. Please notify the sender by
>> reply e-mail immediately if you have received this e-mail in error and
>> permanently delete all copies of the original message from your system.
>> E-mail transmission cannot be guaranteed to be secure as it could be
>> intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
>> contain viruses. Company accepts no liability for any damage or loss of
>> confidential information caused by this email or due to any virus
>> transmitted by this email or otherwise.
>
>
--
IMPORTANT NOTICE: This e-mail, including any attachments, may contain
confidential information and is intended only for the addressee(s) named
above. If you are not the intended recipient(s), you should not
disseminate, distribute, or copy this e-mail. Please notify the sender by
reply e-mail immediately if you have received this e-mail in error and
permanently delete all copies of the original message from your system.
E-mail transmission cannot be guaranteed to be secure as it could be
intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
contain viruses. Company accepts no liability for any damage or loss of
confidential information caused by this email or due to any virus
transmitted by this email or otherwise.
Re: CVE-2021-44228 - Log4j2 vulnerability
Posted by Martijn Visser <ma...@ververica.com>.
Hi Surendra,
You can follow the discussion on this topic in the Dev mailing list [1]. I
would expect it in the next couple of weeks.
Best regards,
Martijn
[1] https://lists.apache.org/thread/n417406j125n080vopljgfflc45yygh4
On Fri, 4 Feb 2022 at 08:49, Surendra Lalwani <su...@swiggy.in>
wrote:
> Hi Team,
>
> Any ETA on Flink version 1.13.6 release.
>
> Thanks and Regards ,
> Surendra Lalwani
>
>
> On Sun, Jan 9, 2022 at 3:50 PM David Morávek <dm...@apache.org> wrote:
>
>> Flink community officially only supports current and previous minor
>> versions [1] (1.13, 1.14) with bug fixes. Personally I wouldn’t expect
>> there will be another patch release for 1.12.
>>
>> If you really need an extra release for the unsupported version, the most
>> straightforward approach would be manually building the Flink distribution
>> from sources [2] with the patches you need.
>>
>> [1]
>> https://flink.apache.org/downloads.html#update-policy-for-old-releases
>> [2]
>>
>> https://github.com/apache/flink/tree/release-1.12#building-apache-flink-from-source
>>
>> D.
>>
>> On Sun 9. 1. 2022 at 10:10, V N, Suchithra (Nokia - IN/Bangalore) <
>> suchithra.v_n@nokia.com> wrote:
>>
>>> Hi David,
>>>
>>>
>>>
>>> As per the below comments, Flink 1.14.3 is in preparation and this
>>> hasn't started yet for Flink 1.13.6. Flink 1.12.8 release will be
>>> planned after this? If there is no current plan, could you please let us
>>> know what will be the regular release timing for 1.12.8 version.
>>>
>>>
>>>
>>> Regards,
>>>
>>> Suchithra
>>>
>>>
>>>
>>> *From:* David Morávek <dm...@apache.org>
>>> *Sent:* Sunday, January 9, 2022 12:11 AM
>>> *To:* V N, Suchithra (Nokia - IN/Bangalore) <su...@nokia.com>
>>> *Cc:* Chesnay Schepler <ch...@apache.org>; Martijn Visser <
>>> martijn@ververica.com>; Michael Guterl <gu...@justin.tv>; Parag
>>> Somani <so...@gmail.com>; Patrick.Eifler@sony.com; Richard
>>> Deurwaarder <ri...@xeli.eu>; User <us...@flink.apache.org>;
>>> subharaj.manna@gmail.com; swamy.hajeed@gmail.com
>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>>
>>>
>>>
>>> Hi Suchithra,
>>>
>>>
>>>
>>> there is currently no plan on doing another 1.12 release
>>>
>>>
>>>
>>> D.
>>>
>>>
>>>
>>> On Sat 8. 1. 2022 at 18:02, V N, Suchithra (Nokia - IN/Bangalore) <
>>> suchithra.v_n@nokia.com> wrote:
>>>
>>> Hi,
>>>
>>>
>>>
>>> When can we expect the flink 1.12 releases with log4j 2.17.1?
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Suchithra
>>>
>>>
>>>
>>> *From:* Martijn Visser <ma...@ververica.com>
>>> *Sent:* Thursday, January 6, 2022 7:45 PM
>>> *To:* Patrick.Eifler@sony.com
>>> *Cc:* David Morávek <dm...@apache.org>; swamy.hajeed@gmail.com;
>>> subharaj.manna@gmail.com; V N, Suchithra (Nokia - IN/Bangalore) <
>>> suchithra.v_n@nokia.com>; Chesnay Schepler <ch...@apache.org>; User <
>>> user@flink.apache.org>; Michael Guterl <gu...@justin.tv>; Richard
>>> Deurwaarder <ri...@xeli.eu>; Parag Somani <so...@gmail.com>
>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>>
>>>
>>>
>>> Hi all,
>>>
>>>
>>>
>>> The ticket for upgrading Log4J to 2.17.0 is
>>> https://issues.apache.org/jira/browse/FLINK-25375. There's also the
>>> update to Log4j 2.17.1 which is tracked under
>>> https://issues.apache.org/jira/browse/FLINK-25472
>>>
>>>
>>>
>>> As you can see, both have a fix version set to 1.14.3 and 1.13.6. These
>>> versions haven't been released yet. Flink 1.14.3 is in preparation, this
>>> hasn't started yet for Flink 1.13.6.
>>>
>>>
>>>
>>> Best regards,
>>>
>>>
>>>
>>> Martijn
>>>
>>>
>>>
>>> On Thu, 6 Jan 2022 at 15:05, <Pa...@sony.com> wrote:
>>>
>>> Hi,
>>>
>>>
>>>
>>> just to be sure: Which Flink Releases for 1.14 and 1.13 have the
>>> upgraded log4j version 2.17.0?
>>>
>>> Are those already deployed to docker?
>>>
>>>
>>>
>>> Many Thanks in Advance.
>>>
>>>
>>>
>>> Kind Regards,
>>>
>>>
>>>
>>> Patrick
>>>
>>> --
>>>
>>> Patrick Eifler
>>>
>>>
>>>
>>> Senior Software Engineer (BI)
>>>
>>> Cloud Gaming Engineering & Infrastructure
>>> Sony Interactive Entertainment LLC
>>>
>>> Wilhelmstraße 118, 10963 Berlin
>>>
>>>
>>> Germany
>>>
>>> E: patrick.eifler@sony.com
>>>
>>>
>>>
>>> *From: *David Morávek <dm...@apache.org>
>>> *Date: *Wednesday, 29. December 2021 at 09:35
>>> *To: *narasimha <sw...@gmail.com>
>>> *Cc: *Debraj Manna <su...@gmail.com>, Martijn Visser <
>>> martijn@ververica.com>, V N, Suchithra (Nokia - IN/Bangalore) <
>>> suchithra.v_n@nokia.com>, Chesnay Schepler <ch...@apache.org>, user <
>>> user@flink.apache.org>, Michael Guterl <gu...@justin.tv>, Richard
>>> Deurwaarder <ri...@xeli.eu>, Parag Somani <so...@gmail.com>
>>> *Subject: *Re: CVE-2021-44228 - Log4j2 vulnerability
>>>
>>> Please follow the above mentioned ML thread for more details. Please
>>> note that this is a REGULAR release that is not motivated by the log4j CVE,
>>> so the stability of the release is the more important factor then having it
>>> out as soon as possible.
>>>
>>>
>>>
>>> D.
>>>
>>>
>>>
>>> On Mon, Dec 27, 2021 at 6:33 AM narasimha <sw...@gmail.com>
>>> wrote:
>>>
>>> Hi folks,
>>>
>>>
>>>
>>> When can we expect the release to be made available to the community?
>>>
>>>
>>>
>>> On Wed, Dec 22, 2021 at 3:07 PM David Morávek <dm...@apache.org> wrote:
>>>
>>> Hi Debraj,
>>>
>>>
>>>
>>> we're currently not planning another emergency release as this CVE is
>>> not as critical for Flink users as the previous one. However, this patch
>>> will be included in all upcoming patch & minor releases. The patch release
>>> for the 1.14.x branch is already in progress [1] (it may be bit delayed due
>>> to the holiday season).
>>>
>>>
>>>
>>> [1] https://lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk
>>> <https://urldefense.com/v3/__https:/lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hRKh5TRwA$>
>>>
>>>
>>>
>>> Best,
>>>
>>> D.
>>>
>>>
>>>
>>> On Wed, Dec 22, 2021 at 7:02 AM Debraj Manna <su...@gmail.com>
>>> wrote:
>>>
>>> Any idea when can we expect
>>> https://issues.apache.org/jira/browse/FLINK-25375
>>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$>
>>> to be released?
>>>
>>>
>>>
>>> On Mon, Dec 20, 2021 at 8:18 PM Martijn Visser <ma...@ververica.com>
>>> wrote:
>>>
>>> Hi,
>>>
>>>
>>>
>>> The status and Flink ticket for upgrading to Log4j 2.17.0 can be tracked
>>> at https://issues.apache.org/jira/browse/FLINK-25375
>>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$>
>>> .
>>>
>>>
>>>
>>> Best regards,
>>>
>>>
>>>
>>> Martijn
>>>
>>>
>>>
>>> On Sat, 18 Dec 2021 at 16:50, V N, Suchithra (Nokia - IN/Bangalore) <
>>> suchithra.v_n@nokia.com> wrote:
>>>
>>> Hi,
>>>
>>>
>>>
>>> It seems there is high severity vulnerability in log4j 2.16.0.(
>>> CVE-2021-45105
>>> <https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQxXtq_BQ$>
>>> )
>>>
>>> Refer : https://logging.apache.org/log4j/2.x/security.html
>>> <https://urldefense.com/v3/__https:/logging.apache.org/log4j/2.x/security.html__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hScVJh0Lw$>
>>>
>>> Any update on this please?
>>>
>>>
>>>
>>> Regards,
>>>
>>> Suchithra
>>>
>>>
>>>
>>> *From:* Chesnay Schepler <ch...@apache.org>
>>> *Sent:* Thursday, December 16, 2021 4:35 PM
>>> *To:* Parag Somani <so...@gmail.com>
>>> *Cc:* Michael Guterl <gu...@justin.tv>; V N, Suchithra (Nokia -
>>> IN/Bangalore) <su...@nokia.com>; Richard Deurwaarder <
>>> richard@xeli.eu>; user <us...@flink.apache.org>
>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>>
>>>
>>>
>>> We will announce the releases when the binaries are available.
>>>
>>>
>>>
>>> On 16/12/2021 05:37, Parag Somani wrote:
>>>
>>> Thank you Chesnay for expediting this fix...!
>>>
>>>
>>>
>>> Can you suggest, when can I get binaries for 1.14.2 flink version?
>>>
>>>
>>>
>>> On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ch...@apache.org>
>>> wrote:
>>>
>>> We will push docker images for all new releases, yes.
>>>
>>>
>>>
>>> On 16/12/2021 01:16, Michael Guterl wrote:
>>>
>>> Will you all be pushing Docker images for the 1.11.6 release?
>>>
>>>
>>>
>>> On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler <ch...@apache.org>
>>> wrote:
>>>
>>> The current ETA is 40h for an official announcement.
>>>
>>> We are validating the release today (concludes in 16h), publish it
>>> tonight, then wait for mirrors to be sync (about a day), then we announce
>>> it.
>>>
>>>
>>>
>>> On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote:
>>>
>>> Hello,
>>>
>>>
>>>
>>> Could you please tell when we can expect Flink 1.12.7 release? We are
>>> waiting for the CVE fix.
>>>
>>>
>>>
>>> Regards,
>>>
>>> Suchithra
>>>
>>>
>>>
>>>
>>>
>>> *From:* Chesnay Schepler <ch...@apache.org> <ch...@apache.org>
>>> *Sent:* Wednesday, December 15, 2021 4:04 PM
>>> *To:* Richard Deurwaarder <ri...@xeli.eu> <ri...@xeli.eu>
>>> *Cc:* user <us...@flink.apache.org> <us...@flink.apache.org>
>>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>>
>>>
>>>
>>> We will also update the docker images.
>>>
>>>
>>>
>>> On 15/12/2021 11:29, Richard Deurwaarder wrote:
>>>
>>> Thanks for picking this up quickly!
>>>
>>>
>>>
>>> I saw you've made a second minor upgrade to upgrade to log4j2 2.16 which
>>> is perfect.
>>>
>>>
>>>
>>> Just to clarify: Will you also push new docker images for these releases
>>> as well? In particular flink 1.11.6 (Sorry we must upgrade soon! :()
>>>
>>>
>>>
>>> On Tue, Dec 14, 2021 at 2:33 AM narasimha <sw...@gmail.com>
>>> wrote:
>>>
>>> Thanks TImo, that was helpful.
>>>
>>>
>>>
>>> On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar <
>>> prasannakumarramani@gmail.com> wrote:
>>>
>>> Chesnay Thank you for the clarification.
>>>
>>>
>>>
>>> On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ch...@apache.org>
>>> wrote:
>>>
>>> The flink-shaded-zookeeper jars do not contain log4j.
>>>
>>>
>>>
>>> On 13/12/2021 14:11, Prasanna kumar wrote:
>>>
>>> Does Zookeeper have this vulnerability dependency ? I see references to
>>> log4j in Shaded Zookeeper jar included as part of the flink distribution.
>>>
>>>
>>>
>>> On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <tw...@apache.org> wrote:
>>>
>>> While we are working to upgrade the affected dependencies of all
>>> components, we recommend users follow the advisory of the Apache Log4j
>>> Community. Also Ververica platform can be patched with a similar
>>> approach:
>>>
>>> To configure the JVMs used by Ververica Platform, you can pass custom
>>> Java options via the JAVA_TOOL_OPTIONS environment variable. Add the
>>> following to your platform values.yaml, or append to the existing value
>>> of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy
>>> the platform with Helm:
>>> env:
>>> - name: JAVA_TOOL_OPTIONS
>>> value: -Dlog4j2.formatMsgNoLookups=true
>>>
>>>
>>> For any questions, please contact us via our support portal.
>>>
>>> Regards,
>>> Timo
>>>
>>> On 11.12.21 06:45, narasimha wrote:
>>> > Folks, what about the veverica platform. Is there any
>>> mitigation around it?
>>> >
>>> > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <chesnay@apache.org
>>> > <ma...@apache.org>> wrote:
>>> >
>>> > I would recommend to modify your log4j configurations to set
>>> > log4j2.formatMsgNoLookups to true/./
>>> > /
>>> > /
>>> > As far as I can tell this is equivalent to upgrading log4j, which
>>> > just disabled this lookup by default.
>>> > /
>>> > /
>>> > On 10/12/2021 10:21, Richard Deurwaarder wrote:
>>> >> Hello,
>>> >>
>>> >> There has been a log4j2 vulnerability made public
>>> >> https://www.randori.com/blog/cve-2021-44228/
>>> <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>
>>> >> <https://www.randori.com/blog/cve-2021-44228/
>>> <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>>
>>> which is making
>>> >> some waves :)
>>> >> This post even explicitly mentions Apache Flink:
>>> >>
>>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
>>> <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>
>>> >> <
>>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
>>> <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>
>>> >
>>> >>
>>> >> And fortunately, I saw this was already on your radar:
>>> >> https://issues.apache.org/jira/browse/FLINK-25240
>>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>
>>> >> <https://issues.apache.org/jira/browse/FLINK-25240
>>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>
>>> >
>>> >>
>>> >> What would the advice be for flink users? Do you expect to push a
>>> >> minor to fix this? Or is it advisable to upgrade to the latest
>>> >> log4j2 version manually for now?
>>> >>
>>> >> Thanks for any advice!
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > A.Narasimha Swamy
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> A.Narasimha Swamy
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Regards,
>>> Parag Surajmal Somani.
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> A.Narasimha Swamy
>>>
>>>
>
> ------------------------------
> IMPORTANT NOTICE: This e-mail, including any attachments, may contain
> confidential information and is intended only for the addressee(s) named
> above. If you are not the intended recipient(s), you should not
> disseminate, distribute, or copy this e-mail. Please notify the sender by
> reply e-mail immediately if you have received this e-mail in error and
> permanently delete all copies of the original message from your system.
> E-mail transmission cannot be guaranteed to be secure as it could be
> intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
> contain viruses. Company accepts no liability for any damage or loss of
> confidential information caused by this email or due to any virus
> transmitted by this email or otherwise.
Re: CVE-2021-44228 - Log4j2 vulnerability
Posted by Surendra Lalwani <su...@swiggy.in>.
Hi Team,
Any ETA on Flink version 1.13.6 release.
Thanks and Regards ,
Surendra Lalwani
On Sun, Jan 9, 2022 at 3:50 PM David Morávek <dm...@apache.org> wrote:
> Flink community officially only supports current and previous minor
> versions [1] (1.13, 1.14) with bug fixes. Personally I wouldn’t expect
> there will be another patch release for 1.12.
>
> If you really need an extra release for the unsupported version, the most
> straightforward approach would be manually building the Flink distribution
> from sources [2] with the patches you need.
>
> [1] https://flink.apache.org/downloads.html#update-policy-for-old-releases
> [2]
>
> https://github.com/apache/flink/tree/release-1.12#building-apache-flink-from-source
>
> D.
>
> On Sun 9. 1. 2022 at 10:10, V N, Suchithra (Nokia - IN/Bangalore) <
> suchithra.v_n@nokia.com> wrote:
>
>> Hi David,
>>
>>
>>
>> As per the below comments, Flink 1.14.3 is in preparation and this
>> hasn't started yet for Flink 1.13.6. Flink 1.12.8 release will be
>> planned after this? If there is no current plan, could you please let us
>> know what will be the regular release timing for 1.12.8 version.
>>
>>
>>
>> Regards,
>>
>> Suchithra
>>
>>
>>
>> *From:* David Morávek <dm...@apache.org>
>> *Sent:* Sunday, January 9, 2022 12:11 AM
>> *To:* V N, Suchithra (Nokia - IN/Bangalore) <su...@nokia.com>
>> *Cc:* Chesnay Schepler <ch...@apache.org>; Martijn Visser <
>> martijn@ververica.com>; Michael Guterl <gu...@justin.tv>; Parag Somani
>> <so...@gmail.com>; Patrick.Eifler@sony.com; Richard Deurwaarder <
>> richard@xeli.eu>; User <us...@flink.apache.org>; subharaj.manna@gmail.com;
>> swamy.hajeed@gmail.com
>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>
>>
>>
>> Hi Suchithra,
>>
>>
>>
>> there is currently no plan on doing another 1.12 release
>>
>>
>>
>> D.
>>
>>
>>
>> On Sat 8. 1. 2022 at 18:02, V N, Suchithra (Nokia - IN/Bangalore) <
>> suchithra.v_n@nokia.com> wrote:
>>
>> Hi,
>>
>>
>>
>> When can we expect the flink 1.12 releases with log4j 2.17.1?
>>
>>
>>
>> Thanks,
>>
>> Suchithra
>>
>>
>>
>> *From:* Martijn Visser <ma...@ververica.com>
>> *Sent:* Thursday, January 6, 2022 7:45 PM
>> *To:* Patrick.Eifler@sony.com
>> *Cc:* David Morávek <dm...@apache.org>; swamy.hajeed@gmail.com;
>> subharaj.manna@gmail.com; V N, Suchithra (Nokia - IN/Bangalore) <
>> suchithra.v_n@nokia.com>; Chesnay Schepler <ch...@apache.org>; User <
>> user@flink.apache.org>; Michael Guterl <gu...@justin.tv>; Richard
>> Deurwaarder <ri...@xeli.eu>; Parag Somani <so...@gmail.com>
>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>
>>
>>
>> Hi all,
>>
>>
>>
>> The ticket for upgrading Log4J to 2.17.0 is
>> https://issues.apache.org/jira/browse/FLINK-25375. There's also the
>> update to Log4j 2.17.1 which is tracked under
>> https://issues.apache.org/jira/browse/FLINK-25472
>>
>>
>>
>> As you can see, both have a fix version set to 1.14.3 and 1.13.6. These
>> versions haven't been released yet. Flink 1.14.3 is in preparation, this
>> hasn't started yet for Flink 1.13.6.
>>
>>
>>
>> Best regards,
>>
>>
>>
>> Martijn
>>
>>
>>
>> On Thu, 6 Jan 2022 at 15:05, <Pa...@sony.com> wrote:
>>
>> Hi,
>>
>>
>>
>> just to be sure: Which Flink Releases for 1.14 and 1.13 have the upgraded
>> log4j version 2.17.0?
>>
>> Are those already deployed to docker?
>>
>>
>>
>> Many Thanks in Advance.
>>
>>
>>
>> Kind Regards,
>>
>>
>>
>> Patrick
>>
>> --
>>
>> Patrick Eifler
>>
>>
>>
>> Senior Software Engineer (BI)
>>
>> Cloud Gaming Engineering & Infrastructure
>> Sony Interactive Entertainment LLC
>>
>> Wilhelmstraße 118, 10963 Berlin
>>
>>
>> Germany
>>
>> E: patrick.eifler@sony.com
>>
>>
>>
>> *From: *David Morávek <dm...@apache.org>
>> *Date: *Wednesday, 29. December 2021 at 09:35
>> *To: *narasimha <sw...@gmail.com>
>> *Cc: *Debraj Manna <su...@gmail.com>, Martijn Visser <
>> martijn@ververica.com>, V N, Suchithra (Nokia - IN/Bangalore) <
>> suchithra.v_n@nokia.com>, Chesnay Schepler <ch...@apache.org>, user <
>> user@flink.apache.org>, Michael Guterl <gu...@justin.tv>, Richard
>> Deurwaarder <ri...@xeli.eu>, Parag Somani <so...@gmail.com>
>> *Subject: *Re: CVE-2021-44228 - Log4j2 vulnerability
>>
>> Please follow the above mentioned ML thread for more details. Please note
>> that this is a REGULAR release that is not motivated by the log4j CVE, so
>> the stability of the release is the more important factor then having it
>> out as soon as possible.
>>
>>
>>
>> D.
>>
>>
>>
>> On Mon, Dec 27, 2021 at 6:33 AM narasimha <sw...@gmail.com> wrote:
>>
>> Hi folks,
>>
>>
>>
>> When can we expect the release to be made available to the community?
>>
>>
>>
>> On Wed, Dec 22, 2021 at 3:07 PM David Morávek <dm...@apache.org> wrote:
>>
>> Hi Debraj,
>>
>>
>>
>> we're currently not planning another emergency release as this CVE is not
>> as critical for Flink users as the previous one. However, this patch will
>> be included in all upcoming patch & minor releases. The patch release for
>> the 1.14.x branch is already in progress [1] (it may be bit delayed due to
>> the holiday season).
>>
>>
>>
>> [1] https://lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk
>> <https://urldefense.com/v3/__https:/lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hRKh5TRwA$>
>>
>>
>>
>> Best,
>>
>> D.
>>
>>
>>
>> On Wed, Dec 22, 2021 at 7:02 AM Debraj Manna <su...@gmail.com>
>> wrote:
>>
>> Any idea when can we expect
>> https://issues.apache.org/jira/browse/FLINK-25375
>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$>
>> to be released?
>>
>>
>>
>> On Mon, Dec 20, 2021 at 8:18 PM Martijn Visser <ma...@ververica.com>
>> wrote:
>>
>> Hi,
>>
>>
>>
>> The status and Flink ticket for upgrading to Log4j 2.17.0 can be tracked
>> at https://issues.apache.org/jira/browse/FLINK-25375
>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$>
>> .
>>
>>
>>
>> Best regards,
>>
>>
>>
>> Martijn
>>
>>
>>
>> On Sat, 18 Dec 2021 at 16:50, V N, Suchithra (Nokia - IN/Bangalore) <
>> suchithra.v_n@nokia.com> wrote:
>>
>> Hi,
>>
>>
>>
>> It seems there is high severity vulnerability in log4j 2.16.0.(
>> CVE-2021-45105
>> <https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQxXtq_BQ$>
>> )
>>
>> Refer : https://logging.apache.org/log4j/2.x/security.html
>> <https://urldefense.com/v3/__https:/logging.apache.org/log4j/2.x/security.html__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hScVJh0Lw$>
>>
>> Any update on this please?
>>
>>
>>
>> Regards,
>>
>> Suchithra
>>
>>
>>
>> *From:* Chesnay Schepler <ch...@apache.org>
>> *Sent:* Thursday, December 16, 2021 4:35 PM
>> *To:* Parag Somani <so...@gmail.com>
>> *Cc:* Michael Guterl <gu...@justin.tv>; V N, Suchithra (Nokia -
>> IN/Bangalore) <su...@nokia.com>; Richard Deurwaarder <
>> richard@xeli.eu>; user <us...@flink.apache.org>
>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>
>>
>>
>> We will announce the releases when the binaries are available.
>>
>>
>>
>> On 16/12/2021 05:37, Parag Somani wrote:
>>
>> Thank you Chesnay for expediting this fix...!
>>
>>
>>
>> Can you suggest, when can I get binaries for 1.14.2 flink version?
>>
>>
>>
>> On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ch...@apache.org>
>> wrote:
>>
>> We will push docker images for all new releases, yes.
>>
>>
>>
>> On 16/12/2021 01:16, Michael Guterl wrote:
>>
>> Will you all be pushing Docker images for the 1.11.6 release?
>>
>>
>>
>> On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler <ch...@apache.org>
>> wrote:
>>
>> The current ETA is 40h for an official announcement.
>>
>> We are validating the release today (concludes in 16h), publish it
>> tonight, then wait for mirrors to be sync (about a day), then we announce
>> it.
>>
>>
>>
>> On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote:
>>
>> Hello,
>>
>>
>>
>> Could you please tell when we can expect Flink 1.12.7 release? We are
>> waiting for the CVE fix.
>>
>>
>>
>> Regards,
>>
>> Suchithra
>>
>>
>>
>>
>>
>> *From:* Chesnay Schepler <ch...@apache.org> <ch...@apache.org>
>> *Sent:* Wednesday, December 15, 2021 4:04 PM
>> *To:* Richard Deurwaarder <ri...@xeli.eu> <ri...@xeli.eu>
>> *Cc:* user <us...@flink.apache.org> <us...@flink.apache.org>
>> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>>
>>
>>
>> We will also update the docker images.
>>
>>
>>
>> On 15/12/2021 11:29, Richard Deurwaarder wrote:
>>
>> Thanks for picking this up quickly!
>>
>>
>>
>> I saw you've made a second minor upgrade to upgrade to log4j2 2.16 which
>> is perfect.
>>
>>
>>
>> Just to clarify: Will you also push new docker images for these releases
>> as well? In particular flink 1.11.6 (Sorry we must upgrade soon! :()
>>
>>
>>
>> On Tue, Dec 14, 2021 at 2:33 AM narasimha <sw...@gmail.com> wrote:
>>
>> Thanks TImo, that was helpful.
>>
>>
>>
>> On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar <
>> prasannakumarramani@gmail.com> wrote:
>>
>> Chesnay Thank you for the clarification.
>>
>>
>>
>> On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ch...@apache.org>
>> wrote:
>>
>> The flink-shaded-zookeeper jars do not contain log4j.
>>
>>
>>
>> On 13/12/2021 14:11, Prasanna kumar wrote:
>>
>> Does Zookeeper have this vulnerability dependency ? I see references to
>> log4j in Shaded Zookeeper jar included as part of the flink distribution.
>>
>>
>>
>> On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <tw...@apache.org> wrote:
>>
>> While we are working to upgrade the affected dependencies of all
>> components, we recommend users follow the advisory of the Apache Log4j
>> Community. Also Ververica platform can be patched with a similar approach:
>>
>> To configure the JVMs used by Ververica Platform, you can pass custom
>> Java options via the JAVA_TOOL_OPTIONS environment variable. Add the
>> following to your platform values.yaml, or append to the existing value
>> of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy
>> the platform with Helm:
>> env:
>> - name: JAVA_TOOL_OPTIONS
>> value: -Dlog4j2.formatMsgNoLookups=true
>>
>>
>> For any questions, please contact us via our support portal.
>>
>> Regards,
>> Timo
>>
>> On 11.12.21 06:45, narasimha wrote:
>> > Folks, what about the veverica platform. Is there any
>> mitigation around it?
>> >
>> > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <chesnay@apache.org
>> > <ma...@apache.org>> wrote:
>> >
>> > I would recommend to modify your log4j configurations to set
>> > log4j2.formatMsgNoLookups to true/./
>> > /
>> > /
>> > As far as I can tell this is equivalent to upgrading log4j, which
>> > just disabled this lookup by default.
>> > /
>> > /
>> > On 10/12/2021 10:21, Richard Deurwaarder wrote:
>> >> Hello,
>> >>
>> >> There has been a log4j2 vulnerability made public
>> >> https://www.randori.com/blog/cve-2021-44228/
>> <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>
>> >> <https://www.randori.com/blog/cve-2021-44228/
>> <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>>
>> which is making
>> >> some waves :)
>> >> This post even explicitly mentions Apache Flink:
>> >>
>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
>> <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>
>> >> <
>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
>> <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>
>> >
>> >>
>> >> And fortunately, I saw this was already on your radar:
>> >> https://issues.apache.org/jira/browse/FLINK-25240
>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>
>> >> <https://issues.apache.org/jira/browse/FLINK-25240
>> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>
>> >
>> >>
>> >> What would the advice be for flink users? Do you expect to push a
>> >> minor to fix this? Or is it advisable to upgrade to the latest
>> >> log4j2 version manually for now?
>> >>
>> >> Thanks for any advice!
>> >
>> >
>> >
>> >
>> > --
>> > A.Narasimha Swamy
>>
>>
>>
>>
>>
>>
>> --
>>
>> A.Narasimha Swamy
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>>
>> Regards,
>> Parag Surajmal Somani.
>>
>>
>>
>>
>>
>>
>> --
>>
>> A.Narasimha Swamy
>>
>>
--
IMPORTANT NOTICE: This e-mail, including any attachments, may contain
confidential information and is intended only for the addressee(s) named
above. If you are not the intended recipient(s), you should not
disseminate, distribute, or copy this e-mail. Please notify the sender by
reply e-mail immediately if you have received this e-mail in error and
permanently delete all copies of the original message from your system.
E-mail transmission cannot be guaranteed to be secure as it could be
intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
contain viruses. Company accepts no liability for any damage or loss of
confidential information caused by this email or due to any virus
transmitted by this email or otherwise.
Re: CVE-2021-44228 - Log4j2 vulnerability
Posted by David Morávek <dm...@apache.org>.
Flink community officially only supports current and previous minor
versions [1] (1.13, 1.14) with bug fixes. Personally I wouldn’t expect
there will be another patch release for 1.12.
If you really need an extra release for the unsupported version, the most
straightforward approach would be manually building the Flink distribution
from sources [2] with the patches you need.
[1] https://flink.apache.org/downloads.html#update-policy-for-old-releases
[2]
https://github.com/apache/flink/tree/release-1.12#building-apache-flink-from-source
D.
On Sun 9. 1. 2022 at 10:10, V N, Suchithra (Nokia - IN/Bangalore) <
suchithra.v_n@nokia.com> wrote:
> Hi David,
>
>
>
> As per the below comments, Flink 1.14.3 is in preparation and this hasn't
> started yet for Flink 1.13.6. Flink 1.12.8 release will be planned after
> this? If there is no current plan, could you please let us know what will
> be the regular release timing for 1.12.8 version.
>
>
>
> Regards,
>
> Suchithra
>
>
>
> *From:* David Morávek <dm...@apache.org>
> *Sent:* Sunday, January 9, 2022 12:11 AM
> *To:* V N, Suchithra (Nokia - IN/Bangalore) <su...@nokia.com>
> *Cc:* Chesnay Schepler <ch...@apache.org>; Martijn Visser <
> martijn@ververica.com>; Michael Guterl <gu...@justin.tv>; Parag Somani <
> somaniparag@gmail.com>; Patrick.Eifler@sony.com; Richard Deurwaarder <
> richard@xeli.eu>; User <us...@flink.apache.org>; subharaj.manna@gmail.com;
> swamy.hajeed@gmail.com
> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>
>
>
> Hi Suchithra,
>
>
>
> there is currently no plan on doing another 1.12 release
>
>
>
> D.
>
>
>
> On Sat 8. 1. 2022 at 18:02, V N, Suchithra (Nokia - IN/Bangalore) <
> suchithra.v_n@nokia.com> wrote:
>
> Hi,
>
>
>
> When can we expect the flink 1.12 releases with log4j 2.17.1?
>
>
>
> Thanks,
>
> Suchithra
>
>
>
> *From:* Martijn Visser <ma...@ververica.com>
> *Sent:* Thursday, January 6, 2022 7:45 PM
> *To:* Patrick.Eifler@sony.com
> *Cc:* David Morávek <dm...@apache.org>; swamy.hajeed@gmail.com;
> subharaj.manna@gmail.com; V N, Suchithra (Nokia - IN/Bangalore) <
> suchithra.v_n@nokia.com>; Chesnay Schepler <ch...@apache.org>; User <
> user@flink.apache.org>; Michael Guterl <gu...@justin.tv>; Richard
> Deurwaarder <ri...@xeli.eu>; Parag Somani <so...@gmail.com>
> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>
>
>
> Hi all,
>
>
>
> The ticket for upgrading Log4J to 2.17.0 is
> https://issues.apache.org/jira/browse/FLINK-25375. There's also the
> update to Log4j 2.17.1 which is tracked under
> https://issues.apache.org/jira/browse/FLINK-25472
>
>
>
> As you can see, both have a fix version set to 1.14.3 and 1.13.6. These
> versions haven't been released yet. Flink 1.14.3 is in preparation, this
> hasn't started yet for Flink 1.13.6.
>
>
>
> Best regards,
>
>
>
> Martijn
>
>
>
> On Thu, 6 Jan 2022 at 15:05, <Pa...@sony.com> wrote:
>
> Hi,
>
>
>
> just to be sure: Which Flink Releases for 1.14 and 1.13 have the upgraded
> log4j version 2.17.0?
>
> Are those already deployed to docker?
>
>
>
> Many Thanks in Advance.
>
>
>
> Kind Regards,
>
>
>
> Patrick
>
> --
>
> Patrick Eifler
>
>
>
> Senior Software Engineer (BI)
>
> Cloud Gaming Engineering & Infrastructure
> Sony Interactive Entertainment LLC
>
> Wilhelmstraße 118, 10963 Berlin
>
>
> Germany
>
> E: patrick.eifler@sony.com
>
>
>
> *From: *David Morávek <dm...@apache.org>
> *Date: *Wednesday, 29. December 2021 at 09:35
> *To: *narasimha <sw...@gmail.com>
> *Cc: *Debraj Manna <su...@gmail.com>, Martijn Visser <
> martijn@ververica.com>, V N, Suchithra (Nokia - IN/Bangalore) <
> suchithra.v_n@nokia.com>, Chesnay Schepler <ch...@apache.org>, user <
> user@flink.apache.org>, Michael Guterl <gu...@justin.tv>, Richard
> Deurwaarder <ri...@xeli.eu>, Parag Somani <so...@gmail.com>
> *Subject: *Re: CVE-2021-44228 - Log4j2 vulnerability
>
> Please follow the above mentioned ML thread for more details. Please note
> that this is a REGULAR release that is not motivated by the log4j CVE, so
> the stability of the release is the more important factor then having it
> out as soon as possible.
>
>
>
> D.
>
>
>
> On Mon, Dec 27, 2021 at 6:33 AM narasimha <sw...@gmail.com> wrote:
>
> Hi folks,
>
>
>
> When can we expect the release to be made available to the community?
>
>
>
> On Wed, Dec 22, 2021 at 3:07 PM David Morávek <dm...@apache.org> wrote:
>
> Hi Debraj,
>
>
>
> we're currently not planning another emergency release as this CVE is not
> as critical for Flink users as the previous one. However, this patch will
> be included in all upcoming patch & minor releases. The patch release for
> the 1.14.x branch is already in progress [1] (it may be bit delayed due to
> the holiday season).
>
>
>
> [1] https://lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk
> <https://urldefense.com/v3/__https:/lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hRKh5TRwA$>
>
>
>
> Best,
>
> D.
>
>
>
> On Wed, Dec 22, 2021 at 7:02 AM Debraj Manna <su...@gmail.com>
> wrote:
>
> Any idea when can we expect
> https://issues.apache.org/jira/browse/FLINK-25375
> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$>
> to be released?
>
>
>
> On Mon, Dec 20, 2021 at 8:18 PM Martijn Visser <ma...@ververica.com>
> wrote:
>
> Hi,
>
>
>
> The status and Flink ticket for upgrading to Log4j 2.17.0 can be tracked
> at https://issues.apache.org/jira/browse/FLINK-25375
> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$>
> .
>
>
>
> Best regards,
>
>
>
> Martijn
>
>
>
> On Sat, 18 Dec 2021 at 16:50, V N, Suchithra (Nokia - IN/Bangalore) <
> suchithra.v_n@nokia.com> wrote:
>
> Hi,
>
>
>
> It seems there is high severity vulnerability in log4j 2.16.0.(
> CVE-2021-45105
> <https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQxXtq_BQ$>
> )
>
> Refer : https://logging.apache.org/log4j/2.x/security.html
> <https://urldefense.com/v3/__https:/logging.apache.org/log4j/2.x/security.html__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hScVJh0Lw$>
>
> Any update on this please?
>
>
>
> Regards,
>
> Suchithra
>
>
>
> *From:* Chesnay Schepler <ch...@apache.org>
> *Sent:* Thursday, December 16, 2021 4:35 PM
> *To:* Parag Somani <so...@gmail.com>
> *Cc:* Michael Guterl <gu...@justin.tv>; V N, Suchithra (Nokia -
> IN/Bangalore) <su...@nokia.com>; Richard Deurwaarder <
> richard@xeli.eu>; user <us...@flink.apache.org>
> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>
>
>
> We will announce the releases when the binaries are available.
>
>
>
> On 16/12/2021 05:37, Parag Somani wrote:
>
> Thank you Chesnay for expediting this fix...!
>
>
>
> Can you suggest, when can I get binaries for 1.14.2 flink version?
>
>
>
> On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ch...@apache.org>
> wrote:
>
> We will push docker images for all new releases, yes.
>
>
>
> On 16/12/2021 01:16, Michael Guterl wrote:
>
> Will you all be pushing Docker images for the 1.11.6 release?
>
>
>
> On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler <ch...@apache.org>
> wrote:
>
> The current ETA is 40h for an official announcement.
>
> We are validating the release today (concludes in 16h), publish it
> tonight, then wait for mirrors to be sync (about a day), then we announce
> it.
>
>
>
> On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote:
>
> Hello,
>
>
>
> Could you please tell when we can expect Flink 1.12.7 release? We are
> waiting for the CVE fix.
>
>
>
> Regards,
>
> Suchithra
>
>
>
>
>
> *From:* Chesnay Schepler <ch...@apache.org> <ch...@apache.org>
> *Sent:* Wednesday, December 15, 2021 4:04 PM
> *To:* Richard Deurwaarder <ri...@xeli.eu> <ri...@xeli.eu>
> *Cc:* user <us...@flink.apache.org> <us...@flink.apache.org>
> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>
>
>
> We will also update the docker images.
>
>
>
> On 15/12/2021 11:29, Richard Deurwaarder wrote:
>
> Thanks for picking this up quickly!
>
>
>
> I saw you've made a second minor upgrade to upgrade to log4j2 2.16 which
> is perfect.
>
>
>
> Just to clarify: Will you also push new docker images for these releases
> as well? In particular flink 1.11.6 (Sorry we must upgrade soon! :()
>
>
>
> On Tue, Dec 14, 2021 at 2:33 AM narasimha <sw...@gmail.com> wrote:
>
> Thanks TImo, that was helpful.
>
>
>
> On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar <
> prasannakumarramani@gmail.com> wrote:
>
> Chesnay Thank you for the clarification.
>
>
>
> On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ch...@apache.org>
> wrote:
>
> The flink-shaded-zookeeper jars do not contain log4j.
>
>
>
> On 13/12/2021 14:11, Prasanna kumar wrote:
>
> Does Zookeeper have this vulnerability dependency ? I see references to
> log4j in Shaded Zookeeper jar included as part of the flink distribution.
>
>
>
> On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <tw...@apache.org> wrote:
>
> While we are working to upgrade the affected dependencies of all
> components, we recommend users follow the advisory of the Apache Log4j
> Community. Also Ververica platform can be patched with a similar approach:
>
> To configure the JVMs used by Ververica Platform, you can pass custom
> Java options via the JAVA_TOOL_OPTIONS environment variable. Add the
> following to your platform values.yaml, or append to the existing value
> of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy
> the platform with Helm:
> env:
> - name: JAVA_TOOL_OPTIONS
> value: -Dlog4j2.formatMsgNoLookups=true
>
>
> For any questions, please contact us via our support portal.
>
> Regards,
> Timo
>
> On 11.12.21 06:45, narasimha wrote:
> > Folks, what about the veverica platform. Is there any
> mitigation around it?
> >
> > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <chesnay@apache.org
> > <ma...@apache.org>> wrote:
> >
> > I would recommend to modify your log4j configurations to set
> > log4j2.formatMsgNoLookups to true/./
> > /
> > /
> > As far as I can tell this is equivalent to upgrading log4j, which
> > just disabled this lookup by default.
> > /
> > /
> > On 10/12/2021 10:21, Richard Deurwaarder wrote:
> >> Hello,
> >>
> >> There has been a log4j2 vulnerability made public
> >> https://www.randori.com/blog/cve-2021-44228/
> <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>
> >> <https://www.randori.com/blog/cve-2021-44228/
> <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>>
> which is making
> >> some waves :)
> >> This post even explicitly mentions Apache Flink:
> >>
> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
> <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>
> >> <
> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
> <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>
> >
> >>
> >> And fortunately, I saw this was already on your radar:
> >> https://issues.apache.org/jira/browse/FLINK-25240
> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>
> >> <https://issues.apache.org/jira/browse/FLINK-25240
> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>
> >
> >>
> >> What would the advice be for flink users? Do you expect to push a
> >> minor to fix this? Or is it advisable to upgrade to the latest
> >> log4j2 version manually for now?
> >>
> >> Thanks for any advice!
> >
> >
> >
> >
> > --
> > A.Narasimha Swamy
>
>
>
>
>
>
> --
>
> A.Narasimha Swamy
>
>
>
>
>
>
>
>
>
> --
>
> Regards,
> Parag Surajmal Somani.
>
>
>
>
>
>
> --
>
> A.Narasimha Swamy
>
>
RE: CVE-2021-44228 - Log4j2 vulnerability
Posted by "V N, Suchithra (Nokia - IN/Bangalore)" <su...@nokia.com>.
Hi David,
As per the below comments, Flink 1.14.3 is in preparation and this hasn't started yet for Flink 1.13.6. Flink 1.12.8 release will be planned after this? If there is no current plan, could you please let us know what will be the regular release timing for 1.12.8 version.
Regards,
Suchithra
From: David Morávek <dm...@apache.org>
Sent: Sunday, January 9, 2022 12:11 AM
To: V N, Suchithra (Nokia - IN/Bangalore) <su...@nokia.com>
Cc: Chesnay Schepler <ch...@apache.org>; Martijn Visser <ma...@ververica.com>; Michael Guterl <gu...@justin.tv>; Parag Somani <so...@gmail.com>; Patrick.Eifler@sony.com; Richard Deurwaarder <ri...@xeli.eu>; User <us...@flink.apache.org>; subharaj.manna@gmail.com; swamy.hajeed@gmail.com
Subject: Re: CVE-2021-44228 - Log4j2 vulnerability
Hi Suchithra,
there is currently no plan on doing another 1.12 release
D.
On Sat 8. 1. 2022 at 18:02, V N, Suchithra (Nokia - IN/Bangalore) <su...@nokia.com>> wrote:
Hi,
When can we expect the flink 1.12 releases with log4j 2.17.1?
Thanks,
Suchithra
From: Martijn Visser <ma...@ververica.com>>
Sent: Thursday, January 6, 2022 7:45 PM
To: Patrick.Eifler@sony.com<ma...@sony.com>
Cc: David Morávek <dm...@apache.org>>; swamy.hajeed@gmail.com<ma...@gmail.com>; subharaj.manna@gmail.com<ma...@gmail.com>; V N, Suchithra (Nokia - IN/Bangalore) <su...@nokia.com>>; Chesnay Schepler <ch...@apache.org>>; User <us...@flink.apache.org>>; Michael Guterl <gu...@justin.tv>>; Richard Deurwaarder <ri...@xeli.eu>>; Parag Somani <so...@gmail.com>>
Subject: Re: CVE-2021-44228 - Log4j2 vulnerability
Hi all,
The ticket for upgrading Log4J to 2.17.0 is https://issues.apache.org/jira/browse/FLINK-25375. There's also the update to Log4j 2.17.1 which is tracked under https://issues.apache.org/jira/browse/FLINK-25472
As you can see, both have a fix version set to 1.14.3 and 1.13.6. These versions haven't been released yet. Flink 1.14.3 is in preparation, this hasn't started yet for Flink 1.13.6.
Best regards,
Martijn
On Thu, 6 Jan 2022 at 15:05, <Pa...@sony.com>> wrote:
Hi,
just to be sure: Which Flink Releases for 1.14 and 1.13 have the upgraded log4j version 2.17.0?
Are those already deployed to docker?
Many Thanks in Advance.
Kind Regards,
Patrick
--
Patrick Eifler
Senior Software Engineer (BI)
Cloud Gaming Engineering & Infrastructure
Sony Interactive Entertainment LLC
Wilhelmstraße 118, 10963 Berlin
Germany
E: patrick.eifler@sony.com<ma...@sony.com>
From: David Morávek <dm...@apache.org>>
Date: Wednesday, 29. December 2021 at 09:35
To: narasimha <sw...@gmail.com>>
Cc: Debraj Manna <su...@gmail.com>>, Martijn Visser <ma...@ververica.com>>, V N, Suchithra (Nokia - IN/Bangalore) <su...@nokia.com>>, Chesnay Schepler <ch...@apache.org>>, user <us...@flink.apache.org>>, Michael Guterl <gu...@justin.tv>>, Richard Deurwaarder <ri...@xeli.eu>>, Parag Somani <so...@gmail.com>>
Subject: Re: CVE-2021-44228 - Log4j2 vulnerability
Please follow the above mentioned ML thread for more details. Please note that this is a REGULAR release that is not motivated by the log4j CVE, so the stability of the release is the more important factor then having it out as soon as possible.
D.
On Mon, Dec 27, 2021 at 6:33 AM narasimha <sw...@gmail.com>> wrote:
Hi folks,
When can we expect the release to be made available to the community?
On Wed, Dec 22, 2021 at 3:07 PM David Morávek <dm...@apache.org>> wrote:
Hi Debraj,
we're currently not planning another emergency release as this CVE is not as critical for Flink users as the previous one. However, this patch will be included in all upcoming patch & minor releases. The patch release for the 1.14.x branch is already in progress [1] (it may be bit delayed due to the holiday season).
[1] https://lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk<https://urldefense.com/v3/__https:/lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hRKh5TRwA$>
Best,
D.
On Wed, Dec 22, 2021 at 7:02 AM Debraj Manna <su...@gmail.com>> wrote:
Any idea when can we expect https://issues.apache.org/jira/browse/FLINK-25375<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$> to be released?
On Mon, Dec 20, 2021 at 8:18 PM Martijn Visser <ma...@ververica.com>> wrote:
Hi,
The status and Flink ticket for upgrading to Log4j 2.17.0 can be tracked at https://issues.apache.org/jira/browse/FLINK-25375<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$>.
Best regards,
Martijn
On Sat, 18 Dec 2021 at 16:50, V N, Suchithra (Nokia - IN/Bangalore) <su...@nokia.com>> wrote:
Hi,
It seems there is high severity vulnerability in log4j 2.16.0.(CVE-2021-45105<https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQxXtq_BQ$>)
Refer : https://logging.apache.org/log4j/2.x/security.html<https://urldefense.com/v3/__https:/logging.apache.org/log4j/2.x/security.html__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hScVJh0Lw$>
Any update on this please?
Regards,
Suchithra
From: Chesnay Schepler <ch...@apache.org>>
Sent: Thursday, December 16, 2021 4:35 PM
To: Parag Somani <so...@gmail.com>>
Cc: Michael Guterl <gu...@justin.tv>>; V N, Suchithra (Nokia - IN/Bangalore) <su...@nokia.com>>; Richard Deurwaarder <ri...@xeli.eu>>; user <us...@flink.apache.org>>
Subject: Re: CVE-2021-44228 - Log4j2 vulnerability
We will announce the releases when the binaries are available.
On 16/12/2021 05:37, Parag Somani wrote:
Thank you Chesnay for expediting this fix...!
Can you suggest, when can I get binaries for 1.14.2 flink version?
On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ch...@apache.org>> wrote:
We will push docker images for all new releases, yes.
On 16/12/2021 01:16, Michael Guterl wrote:
Will you all be pushing Docker images for the 1.11.6 release?
On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler <ch...@apache.org>> wrote:
The current ETA is 40h for an official announcement.
We are validating the release today (concludes in 16h), publish it tonight, then wait for mirrors to be sync (about a day), then we announce it.
On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote:
Hello,
Could you please tell when we can expect Flink 1.12.7 release? We are waiting for the CVE fix.
Regards,
Suchithra
From: Chesnay Schepler <ch...@apache.org>
Sent: Wednesday, December 15, 2021 4:04 PM
To: Richard Deurwaarder <ri...@xeli.eu>
Cc: user <us...@flink.apache.org>
Subject: Re: CVE-2021-44228 - Log4j2 vulnerability
We will also update the docker images.
On 15/12/2021 11:29, Richard Deurwaarder wrote:
Thanks for picking this up quickly!
I saw you've made a second minor upgrade to upgrade to log4j2 2.16 which is perfect.
Just to clarify: Will you also push new docker images for these releases as well? In particular flink 1.11.6 (Sorry we must upgrade soon! :()
On Tue, Dec 14, 2021 at 2:33 AM narasimha <sw...@gmail.com>> wrote:
Thanks TImo, that was helpful.
On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar <pr...@gmail.com>> wrote:
Chesnay Thank you for the clarification.
On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ch...@apache.org>> wrote:
The flink-shaded-zookeeper jars do not contain log4j.
On 13/12/2021 14:11, Prasanna kumar wrote:
Does Zookeeper have this vulnerability dependency ? I see references to log4j in Shaded Zookeeper jar included as part of the flink distribution.
On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <tw...@apache.org>> wrote:
While we are working to upgrade the affected dependencies of all
components, we recommend users follow the advisory of the Apache Log4j
Community. Also Ververica platform can be patched with a similar approach:
To configure the JVMs used by Ververica Platform, you can pass custom
Java options via the JAVA_TOOL_OPTIONS environment variable. Add the
following to your platform values.yaml, or append to the existing value
of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy
the platform with Helm:
env:
- name: JAVA_TOOL_OPTIONS
value: -Dlog4j2.formatMsgNoLookups=true
For any questions, please contact us via our support portal.
Regards,
Timo
On 11.12.21 06:45, narasimha wrote:
> Folks, what about the veverica platform. Is there any mitigation around it?
>
> On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <ch...@apache.org>
> <ma...@apache.org>>> wrote:
>
> I would recommend to modify your log4j configurations to set
> log4j2.formatMsgNoLookups to true/./
> /
> /
> As far as I can tell this is equivalent to upgrading log4j, which
> just disabled this lookup by default.
> /
> /
> On 10/12/2021 10:21, Richard Deurwaarder wrote:
>> Hello,
>>
>> There has been a log4j2 vulnerability made public
>> https://www.randori.com/blog/cve-2021-44228/<https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>
>> <https://www.randori.com/blog/cve-2021-44228/<https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>> which is making
>> some waves :)
>> This post even explicitly mentions Apache Flink:
>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/<https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>
>> <https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/<https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>>
>>
>> And fortunately, I saw this was already on your radar:
>> https://issues.apache.org/jira/browse/FLINK-25240<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>
>> <https://issues.apache.org/jira/browse/FLINK-25240<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>>
>>
>> What would the advice be for flink users? Do you expect to push a
>> minor to fix this? Or is it advisable to upgrade to the latest
>> log4j2 version manually for now?
>>
>> Thanks for any advice!
>
>
>
>
> --
> A.Narasimha Swamy
--
A.Narasimha Swamy
--
Regards,
Parag Surajmal Somani.
--
A.Narasimha Swamy
Re: CVE-2021-44228 - Log4j2 vulnerability
Posted by David Morávek <dm...@apache.org>.
Hi Suchithra,
there is currently no plan on doing another 1.12 release
D.
On Sat 8. 1. 2022 at 18:02, V N, Suchithra (Nokia - IN/Bangalore) <
suchithra.v_n@nokia.com> wrote:
> Hi,
>
>
>
> When can we expect the flink 1.12 releases with log4j 2.17.1?
>
>
>
> Thanks,
>
> Suchithra
>
>
>
> *From:* Martijn Visser <ma...@ververica.com>
> *Sent:* Thursday, January 6, 2022 7:45 PM
> *To:* Patrick.Eifler@sony.com
> *Cc:* David Morávek <dm...@apache.org>; swamy.hajeed@gmail.com;
> subharaj.manna@gmail.com; V N, Suchithra (Nokia - IN/Bangalore) <
> suchithra.v_n@nokia.com>; Chesnay Schepler <ch...@apache.org>; User <
> user@flink.apache.org>; Michael Guterl <gu...@justin.tv>; Richard
> Deurwaarder <ri...@xeli.eu>; Parag Somani <so...@gmail.com>
> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>
>
>
> Hi all,
>
>
>
> The ticket for upgrading Log4J to 2.17.0 is
> https://issues.apache.org/jira/browse/FLINK-25375. There's also the
> update to Log4j 2.17.1 which is tracked under
> https://issues.apache.org/jira/browse/FLINK-25472
>
>
>
> As you can see, both have a fix version set to 1.14.3 and 1.13.6. These
> versions haven't been released yet. Flink 1.14.3 is in preparation, this
> hasn't started yet for Flink 1.13.6.
>
>
>
> Best regards,
>
>
>
> Martijn
>
>
>
> On Thu, 6 Jan 2022 at 15:05, <Pa...@sony.com> wrote:
>
> Hi,
>
>
>
> just to be sure: Which Flink Releases for 1.14 and 1.13 have the upgraded
> log4j version 2.17.0?
>
> Are those already deployed to docker?
>
>
>
> Many Thanks in Advance.
>
>
>
> Kind Regards,
>
>
>
> Patrick
>
> --
>
> Patrick Eifler
>
>
>
> Senior Software Engineer (BI)
>
> Cloud Gaming Engineering & Infrastructure
> Sony Interactive Entertainment LLC
>
> Wilhelmstraße 118, 10963 Berlin
>
>
> Germany
>
> E: patrick.eifler@sony.com
>
>
>
> *From: *David Morávek <dm...@apache.org>
> *Date: *Wednesday, 29. December 2021 at 09:35
> *To: *narasimha <sw...@gmail.com>
> *Cc: *Debraj Manna <su...@gmail.com>, Martijn Visser <
> martijn@ververica.com>, V N, Suchithra (Nokia - IN/Bangalore) <
> suchithra.v_n@nokia.com>, Chesnay Schepler <ch...@apache.org>, user <
> user@flink.apache.org>, Michael Guterl <gu...@justin.tv>, Richard
> Deurwaarder <ri...@xeli.eu>, Parag Somani <so...@gmail.com>
> *Subject: *Re: CVE-2021-44228 - Log4j2 vulnerability
>
> Please follow the above mentioned ML thread for more details. Please note
> that this is a REGULAR release that is not motivated by the log4j CVE, so
> the stability of the release is the more important factor then having it
> out as soon as possible.
>
>
>
> D.
>
>
>
> On Mon, Dec 27, 2021 at 6:33 AM narasimha <sw...@gmail.com> wrote:
>
> Hi folks,
>
>
>
> When can we expect the release to be made available to the community?
>
>
>
> On Wed, Dec 22, 2021 at 3:07 PM David Morávek <dm...@apache.org> wrote:
>
> Hi Debraj,
>
>
>
> we're currently not planning another emergency release as this CVE is not
> as critical for Flink users as the previous one. However, this patch will
> be included in all upcoming patch & minor releases. The patch release for
> the 1.14.x branch is already in progress [1] (it may be bit delayed due to
> the holiday season).
>
>
>
> [1] https://lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk
> <https://urldefense.com/v3/__https:/lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hRKh5TRwA$>
>
>
>
> Best,
>
> D.
>
>
>
> On Wed, Dec 22, 2021 at 7:02 AM Debraj Manna <su...@gmail.com>
> wrote:
>
> Any idea when can we expect
> https://issues.apache.org/jira/browse/FLINK-25375
> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$>
> to be released?
>
>
>
> On Mon, Dec 20, 2021 at 8:18 PM Martijn Visser <ma...@ververica.com>
> wrote:
>
> Hi,
>
>
>
> The status and Flink ticket for upgrading to Log4j 2.17.0 can be tracked
> at https://issues.apache.org/jira/browse/FLINK-25375
> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$>
> .
>
>
>
> Best regards,
>
>
>
> Martijn
>
>
>
> On Sat, 18 Dec 2021 at 16:50, V N, Suchithra (Nokia - IN/Bangalore) <
> suchithra.v_n@nokia.com> wrote:
>
> Hi,
>
>
>
> It seems there is high severity vulnerability in log4j 2.16.0.(
> CVE-2021-45105
> <https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQxXtq_BQ$>
> )
>
> Refer : https://logging.apache.org/log4j/2.x/security.html
> <https://urldefense.com/v3/__https:/logging.apache.org/log4j/2.x/security.html__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hScVJh0Lw$>
>
> Any update on this please?
>
>
>
> Regards,
>
> Suchithra
>
>
>
> *From:* Chesnay Schepler <ch...@apache.org>
> *Sent:* Thursday, December 16, 2021 4:35 PM
> *To:* Parag Somani <so...@gmail.com>
> *Cc:* Michael Guterl <gu...@justin.tv>; V N, Suchithra (Nokia -
> IN/Bangalore) <su...@nokia.com>; Richard Deurwaarder <
> richard@xeli.eu>; user <us...@flink.apache.org>
> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>
>
>
> We will announce the releases when the binaries are available.
>
>
>
> On 16/12/2021 05:37, Parag Somani wrote:
>
> Thank you Chesnay for expediting this fix...!
>
>
>
> Can you suggest, when can I get binaries for 1.14.2 flink version?
>
>
>
> On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ch...@apache.org>
> wrote:
>
> We will push docker images for all new releases, yes.
>
>
>
> On 16/12/2021 01:16, Michael Guterl wrote:
>
> Will you all be pushing Docker images for the 1.11.6 release?
>
>
>
> On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler <ch...@apache.org>
> wrote:
>
> The current ETA is 40h for an official announcement.
>
> We are validating the release today (concludes in 16h), publish it
> tonight, then wait for mirrors to be sync (about a day), then we announce
> it.
>
>
>
> On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote:
>
> Hello,
>
>
>
> Could you please tell when we can expect Flink 1.12.7 release? We are
> waiting for the CVE fix.
>
>
>
> Regards,
>
> Suchithra
>
>
>
>
>
> *From:* Chesnay Schepler <ch...@apache.org> <ch...@apache.org>
> *Sent:* Wednesday, December 15, 2021 4:04 PM
> *To:* Richard Deurwaarder <ri...@xeli.eu> <ri...@xeli.eu>
> *Cc:* user <us...@flink.apache.org> <us...@flink.apache.org>
> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>
>
>
> We will also update the docker images.
>
>
>
> On 15/12/2021 11:29, Richard Deurwaarder wrote:
>
> Thanks for picking this up quickly!
>
>
>
> I saw you've made a second minor upgrade to upgrade to log4j2 2.16 which
> is perfect.
>
>
>
> Just to clarify: Will you also push new docker images for these releases
> as well? In particular flink 1.11.6 (Sorry we must upgrade soon! :()
>
>
>
> On Tue, Dec 14, 2021 at 2:33 AM narasimha <sw...@gmail.com> wrote:
>
> Thanks TImo, that was helpful.
>
>
>
> On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar <
> prasannakumarramani@gmail.com> wrote:
>
> Chesnay Thank you for the clarification.
>
>
>
> On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ch...@apache.org>
> wrote:
>
> The flink-shaded-zookeeper jars do not contain log4j.
>
>
>
> On 13/12/2021 14:11, Prasanna kumar wrote:
>
> Does Zookeeper have this vulnerability dependency ? I see references to
> log4j in Shaded Zookeeper jar included as part of the flink distribution.
>
>
>
> On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <tw...@apache.org> wrote:
>
> While we are working to upgrade the affected dependencies of all
> components, we recommend users follow the advisory of the Apache Log4j
> Community. Also Ververica platform can be patched with a similar approach:
>
> To configure the JVMs used by Ververica Platform, you can pass custom
> Java options via the JAVA_TOOL_OPTIONS environment variable. Add the
> following to your platform values.yaml, or append to the existing value
> of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy
> the platform with Helm:
> env:
> - name: JAVA_TOOL_OPTIONS
> value: -Dlog4j2.formatMsgNoLookups=true
>
>
> For any questions, please contact us via our support portal.
>
> Regards,
> Timo
>
> On 11.12.21 06:45, narasimha wrote:
> > Folks, what about the veverica platform. Is there any
> mitigation around it?
> >
> > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <chesnay@apache.org
> > <ma...@apache.org>> wrote:
> >
> > I would recommend to modify your log4j configurations to set
> > log4j2.formatMsgNoLookups to true/./
> > /
> > /
> > As far as I can tell this is equivalent to upgrading log4j, which
> > just disabled this lookup by default.
> > /
> > /
> > On 10/12/2021 10:21, Richard Deurwaarder wrote:
> >> Hello,
> >>
> >> There has been a log4j2 vulnerability made public
> >> https://www.randori.com/blog/cve-2021-44228/
> <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>
> >> <https://www.randori.com/blog/cve-2021-44228/
> <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>>
> which is making
> >> some waves :)
> >> This post even explicitly mentions Apache Flink:
> >>
> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
> <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>
> >> <
> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
> <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>
> >
> >>
> >> And fortunately, I saw this was already on your radar:
> >> https://issues.apache.org/jira/browse/FLINK-25240
> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>
> >> <https://issues.apache.org/jira/browse/FLINK-25240
> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>
> >
> >>
> >> What would the advice be for flink users? Do you expect to push a
> >> minor to fix this? Or is it advisable to upgrade to the latest
> >> log4j2 version manually for now?
> >>
> >> Thanks for any advice!
> >
> >
> >
> >
> > --
> > A.Narasimha Swamy
>
>
>
>
>
>
> --
>
> A.Narasimha Swamy
>
>
>
>
>
>
>
>
>
> --
>
> Regards,
> Parag Surajmal Somani.
>
>
>
>
>
>
> --
>
> A.Narasimha Swamy
>
>
RE: CVE-2021-44228 - Log4j2 vulnerability
Posted by "V N, Suchithra (Nokia - IN/Bangalore)" <su...@nokia.com>.
Hi,
When can we expect the flink 1.12 releases with log4j 2.17.1?
Thanks,
Suchithra
From: Martijn Visser <ma...@ververica.com>
Sent: Thursday, January 6, 2022 7:45 PM
To: Patrick.Eifler@sony.com
Cc: David Morávek <dm...@apache.org>; swamy.hajeed@gmail.com; subharaj.manna@gmail.com; V N, Suchithra (Nokia - IN/Bangalore) <su...@nokia.com>; Chesnay Schepler <ch...@apache.org>; User <us...@flink.apache.org>; Michael Guterl <gu...@justin.tv>; Richard Deurwaarder <ri...@xeli.eu>; Parag Somani <so...@gmail.com>
Subject: Re: CVE-2021-44228 - Log4j2 vulnerability
Hi all,
The ticket for upgrading Log4J to 2.17.0 is https://issues.apache.org/jira/browse/FLINK-25375. There's also the update to Log4j 2.17.1 which is tracked under https://issues.apache.org/jira/browse/FLINK-25472
As you can see, both have a fix version set to 1.14.3 and 1.13.6. These versions haven't been released yet. Flink 1.14.3 is in preparation, this hasn't started yet for Flink 1.13.6.
Best regards,
Martijn
On Thu, 6 Jan 2022 at 15:05, <Pa...@sony.com>> wrote:
Hi,
just to be sure: Which Flink Releases for 1.14 and 1.13 have the upgraded log4j version 2.17.0?
Are those already deployed to docker?
Many Thanks in Advance.
Kind Regards,
Patrick
--
Patrick Eifler
Senior Software Engineer (BI)
Cloud Gaming Engineering & Infrastructure
Sony Interactive Entertainment LLC
Wilhelmstraße 118, 10963 Berlin
Germany
E: patrick.eifler@sony.com<ma...@sony.com>
From: David Morávek <dm...@apache.org>>
Date: Wednesday, 29. December 2021 at 09:35
To: narasimha <sw...@gmail.com>>
Cc: Debraj Manna <su...@gmail.com>>, Martijn Visser <ma...@ververica.com>>, V N, Suchithra (Nokia - IN/Bangalore) <su...@nokia.com>>, Chesnay Schepler <ch...@apache.org>>, user <us...@flink.apache.org>>, Michael Guterl <gu...@justin.tv>>, Richard Deurwaarder <ri...@xeli.eu>>, Parag Somani <so...@gmail.com>>
Subject: Re: CVE-2021-44228 - Log4j2 vulnerability
Please follow the above mentioned ML thread for more details. Please note that this is a REGULAR release that is not motivated by the log4j CVE, so the stability of the release is the more important factor then having it out as soon as possible.
D.
On Mon, Dec 27, 2021 at 6:33 AM narasimha <sw...@gmail.com>> wrote:
Hi folks,
When can we expect the release to be made available to the community?
On Wed, Dec 22, 2021 at 3:07 PM David Morávek <dm...@apache.org>> wrote:
Hi Debraj,
we're currently not planning another emergency release as this CVE is not as critical for Flink users as the previous one. However, this patch will be included in all upcoming patch & minor releases. The patch release for the 1.14.x branch is already in progress [1] (it may be bit delayed due to the holiday season).
[1] https://lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk<https://urldefense.com/v3/__https:/lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hRKh5TRwA$>
Best,
D.
On Wed, Dec 22, 2021 at 7:02 AM Debraj Manna <su...@gmail.com>> wrote:
Any idea when can we expect https://issues.apache.org/jira/browse/FLINK-25375<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$> to be released?
On Mon, Dec 20, 2021 at 8:18 PM Martijn Visser <ma...@ververica.com>> wrote:
Hi,
The status and Flink ticket for upgrading to Log4j 2.17.0 can be tracked at https://issues.apache.org/jira/browse/FLINK-25375<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$>.
Best regards,
Martijn
On Sat, 18 Dec 2021 at 16:50, V N, Suchithra (Nokia - IN/Bangalore) <su...@nokia.com>> wrote:
Hi,
It seems there is high severity vulnerability in log4j 2.16.0.(CVE-2021-45105<https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQxXtq_BQ$>)
Refer : https://logging.apache.org/log4j/2.x/security.html<https://urldefense.com/v3/__https:/logging.apache.org/log4j/2.x/security.html__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hScVJh0Lw$>
Any update on this please?
Regards,
Suchithra
From: Chesnay Schepler <ch...@apache.org>>
Sent: Thursday, December 16, 2021 4:35 PM
To: Parag Somani <so...@gmail.com>>
Cc: Michael Guterl <gu...@justin.tv>>; V N, Suchithra (Nokia - IN/Bangalore) <su...@nokia.com>>; Richard Deurwaarder <ri...@xeli.eu>>; user <us...@flink.apache.org>>
Subject: Re: CVE-2021-44228 - Log4j2 vulnerability
We will announce the releases when the binaries are available.
On 16/12/2021 05:37, Parag Somani wrote:
Thank you Chesnay for expediting this fix...!
Can you suggest, when can I get binaries for 1.14.2 flink version?
On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ch...@apache.org>> wrote:
We will push docker images for all new releases, yes.
On 16/12/2021 01:16, Michael Guterl wrote:
Will you all be pushing Docker images for the 1.11.6 release?
On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler <ch...@apache.org>> wrote:
The current ETA is 40h for an official announcement.
We are validating the release today (concludes in 16h), publish it tonight, then wait for mirrors to be sync (about a day), then we announce it.
On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote:
Hello,
Could you please tell when we can expect Flink 1.12.7 release? We are waiting for the CVE fix.
Regards,
Suchithra
From: Chesnay Schepler <ch...@apache.org>
Sent: Wednesday, December 15, 2021 4:04 PM
To: Richard Deurwaarder <ri...@xeli.eu>
Cc: user <us...@flink.apache.org>
Subject: Re: CVE-2021-44228 - Log4j2 vulnerability
We will also update the docker images.
On 15/12/2021 11:29, Richard Deurwaarder wrote:
Thanks for picking this up quickly!
I saw you've made a second minor upgrade to upgrade to log4j2 2.16 which is perfect.
Just to clarify: Will you also push new docker images for these releases as well? In particular flink 1.11.6 (Sorry we must upgrade soon! :()
On Tue, Dec 14, 2021 at 2:33 AM narasimha <sw...@gmail.com>> wrote:
Thanks TImo, that was helpful.
On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar <pr...@gmail.com>> wrote:
Chesnay Thank you for the clarification.
On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ch...@apache.org>> wrote:
The flink-shaded-zookeeper jars do not contain log4j.
On 13/12/2021 14:11, Prasanna kumar wrote:
Does Zookeeper have this vulnerability dependency ? I see references to log4j in Shaded Zookeeper jar included as part of the flink distribution.
On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <tw...@apache.org>> wrote:
While we are working to upgrade the affected dependencies of all
components, we recommend users follow the advisory of the Apache Log4j
Community. Also Ververica platform can be patched with a similar approach:
To configure the JVMs used by Ververica Platform, you can pass custom
Java options via the JAVA_TOOL_OPTIONS environment variable. Add the
following to your platform values.yaml, or append to the existing value
of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy
the platform with Helm:
env:
- name: JAVA_TOOL_OPTIONS
value: -Dlog4j2.formatMsgNoLookups=true
For any questions, please contact us via our support portal.
Regards,
Timo
On 11.12.21 06:45, narasimha wrote:
> Folks, what about the veverica platform. Is there any mitigation around it?
>
> On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <ch...@apache.org>
> <ma...@apache.org>>> wrote:
>
> I would recommend to modify your log4j configurations to set
> log4j2.formatMsgNoLookups to true/./
> /
> /
> As far as I can tell this is equivalent to upgrading log4j, which
> just disabled this lookup by default.
> /
> /
> On 10/12/2021 10:21, Richard Deurwaarder wrote:
>> Hello,
>>
>> There has been a log4j2 vulnerability made public
>> https://www.randori.com/blog/cve-2021-44228/<https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>
>> <https://www.randori.com/blog/cve-2021-44228/<https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>> which is making
>> some waves :)
>> This post even explicitly mentions Apache Flink:
>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/<https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>
>> <https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/<https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>>
>>
>> And fortunately, I saw this was already on your radar:
>> https://issues.apache.org/jira/browse/FLINK-25240<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>
>> <https://issues.apache.org/jira/browse/FLINK-25240<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>>
>>
>> What would the advice be for flink users? Do you expect to push a
>> minor to fix this? Or is it advisable to upgrade to the latest
>> log4j2 version manually for now?
>>
>> Thanks for any advice!
>
>
>
>
> --
> A.Narasimha Swamy
--
A.Narasimha Swamy
--
Regards,
Parag Surajmal Somani.
--
A.Narasimha Swamy
Re: CVE-2021-44228 - Log4j2 vulnerability
Posted by Martijn Visser <ma...@ververica.com>.
Hi all,
The ticket for upgrading Log4J to 2.17.0 is
https://issues.apache.org/jira/browse/FLINK-25375. There's also the update
to Log4j 2.17.1 which is tracked under
https://issues.apache.org/jira/browse/FLINK-25472
As you can see, both have a fix version set to 1.14.3 and 1.13.6. These
versions haven't been released yet. Flink 1.14.3 is in preparation, this
hasn't started yet for Flink 1.13.6.
Best regards,
Martijn
On Thu, 6 Jan 2022 at 15:05, <Pa...@sony.com> wrote:
> Hi,
>
>
>
> just to be sure: Which Flink Releases for 1.14 and 1.13 have the upgraded
> log4j version 2.17.0?
>
> Are those already deployed to docker?
>
>
>
> Many Thanks in Advance.
>
>
>
> Kind Regards,
>
>
>
> Patrick
>
> --
>
> Patrick Eifler
>
>
>
> Senior Software Engineer (BI)
>
> Cloud Gaming Engineering & Infrastructure
> Sony Interactive Entertainment LLC
>
> Wilhelmstraße 118, 10963 Berlin
>
>
> Germany
>
> E: patrick.eifler@sony.com
>
>
>
> *From: *David Morávek <dm...@apache.org>
> *Date: *Wednesday, 29. December 2021 at 09:35
> *To: *narasimha <sw...@gmail.com>
> *Cc: *Debraj Manna <su...@gmail.com>, Martijn Visser <
> martijn@ververica.com>, V N, Suchithra (Nokia - IN/Bangalore) <
> suchithra.v_n@nokia.com>, Chesnay Schepler <ch...@apache.org>, user <
> user@flink.apache.org>, Michael Guterl <gu...@justin.tv>, Richard
> Deurwaarder <ri...@xeli.eu>, Parag Somani <so...@gmail.com>
> *Subject: *Re: CVE-2021-44228 - Log4j2 vulnerability
>
> Please follow the above mentioned ML thread for more details. Please note
> that this is a REGULAR release that is not motivated by the log4j CVE, so
> the stability of the release is the more important factor then having it
> out as soon as possible.
>
>
>
> D.
>
>
>
> On Mon, Dec 27, 2021 at 6:33 AM narasimha <sw...@gmail.com> wrote:
>
> Hi folks,
>
>
>
> When can we expect the release to be made available to the community?
>
>
>
> On Wed, Dec 22, 2021 at 3:07 PM David Morávek <dm...@apache.org> wrote:
>
> Hi Debraj,
>
>
>
> we're currently not planning another emergency release as this CVE is not
> as critical for Flink users as the previous one. However, this patch will
> be included in all upcoming patch & minor releases. The patch release for
> the 1.14.x branch is already in progress [1] (it may be bit delayed due to
> the holiday season).
>
>
>
> [1] https://lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk
> <https://urldefense.com/v3/__https:/lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hRKh5TRwA$>
>
>
>
> Best,
>
> D.
>
>
>
> On Wed, Dec 22, 2021 at 7:02 AM Debraj Manna <su...@gmail.com>
> wrote:
>
> Any idea when can we expect
> https://issues.apache.org/jira/browse/FLINK-25375
> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$>
> to be released?
>
>
>
> On Mon, Dec 20, 2021 at 8:18 PM Martijn Visser <ma...@ververica.com>
> wrote:
>
> Hi,
>
>
>
> The status and Flink ticket for upgrading to Log4j 2.17.0 can be tracked
> at https://issues.apache.org/jira/browse/FLINK-25375
> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$>
> .
>
>
>
> Best regards,
>
>
>
> Martijn
>
>
>
> On Sat, 18 Dec 2021 at 16:50, V N, Suchithra (Nokia - IN/Bangalore) <
> suchithra.v_n@nokia.com> wrote:
>
> Hi,
>
>
>
> It seems there is high severity vulnerability in log4j 2.16.0.(
> CVE-2021-45105
> <https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQxXtq_BQ$>
> )
>
> Refer : https://logging.apache.org/log4j/2.x/security.html
> <https://urldefense.com/v3/__https:/logging.apache.org/log4j/2.x/security.html__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hScVJh0Lw$>
>
> Any update on this please?
>
>
>
> Regards,
>
> Suchithra
>
>
>
> *From:* Chesnay Schepler <ch...@apache.org>
> *Sent:* Thursday, December 16, 2021 4:35 PM
> *To:* Parag Somani <so...@gmail.com>
> *Cc:* Michael Guterl <gu...@justin.tv>; V N, Suchithra (Nokia -
> IN/Bangalore) <su...@nokia.com>; Richard Deurwaarder <
> richard@xeli.eu>; user <us...@flink.apache.org>
> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>
>
>
> We will announce the releases when the binaries are available.
>
>
>
> On 16/12/2021 05:37, Parag Somani wrote:
>
> Thank you Chesnay for expediting this fix...!
>
>
>
> Can you suggest, when can I get binaries for 1.14.2 flink version?
>
>
>
> On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ch...@apache.org>
> wrote:
>
> We will push docker images for all new releases, yes.
>
>
>
> On 16/12/2021 01:16, Michael Guterl wrote:
>
> Will you all be pushing Docker images for the 1.11.6 release?
>
>
>
> On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler <ch...@apache.org>
> wrote:
>
> The current ETA is 40h for an official announcement.
>
> We are validating the release today (concludes in 16h), publish it
> tonight, then wait for mirrors to be sync (about a day), then we announce
> it.
>
>
>
> On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote:
>
> Hello,
>
>
>
> Could you please tell when we can expect Flink 1.12.7 release? We are
> waiting for the CVE fix.
>
>
>
> Regards,
>
> Suchithra
>
>
>
>
>
> *From:* Chesnay Schepler <ch...@apache.org> <ch...@apache.org>
> *Sent:* Wednesday, December 15, 2021 4:04 PM
> *To:* Richard Deurwaarder <ri...@xeli.eu> <ri...@xeli.eu>
> *Cc:* user <us...@flink.apache.org> <us...@flink.apache.org>
> *Subject:* Re: CVE-2021-44228 - Log4j2 vulnerability
>
>
>
> We will also update the docker images.
>
>
>
> On 15/12/2021 11:29, Richard Deurwaarder wrote:
>
> Thanks for picking this up quickly!
>
>
>
> I saw you've made a second minor upgrade to upgrade to log4j2 2.16 which
> is perfect.
>
>
>
> Just to clarify: Will you also push new docker images for these releases
> as well? In particular flink 1.11.6 (Sorry we must upgrade soon! :()
>
>
>
> On Tue, Dec 14, 2021 at 2:33 AM narasimha <sw...@gmail.com> wrote:
>
> Thanks TImo, that was helpful.
>
>
>
> On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar <
> prasannakumarramani@gmail.com> wrote:
>
> Chesnay Thank you for the clarification.
>
>
>
> On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ch...@apache.org>
> wrote:
>
> The flink-shaded-zookeeper jars do not contain log4j.
>
>
>
> On 13/12/2021 14:11, Prasanna kumar wrote:
>
> Does Zookeeper have this vulnerability dependency ? I see references to
> log4j in Shaded Zookeeper jar included as part of the flink distribution.
>
>
>
> On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <tw...@apache.org> wrote:
>
> While we are working to upgrade the affected dependencies of all
> components, we recommend users follow the advisory of the Apache Log4j
> Community. Also Ververica platform can be patched with a similar approach:
>
> To configure the JVMs used by Ververica Platform, you can pass custom
> Java options via the JAVA_TOOL_OPTIONS environment variable. Add the
> following to your platform values.yaml, or append to the existing value
> of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy
> the platform with Helm:
> env:
> - name: JAVA_TOOL_OPTIONS
> value: -Dlog4j2.formatMsgNoLookups=true
>
>
> For any questions, please contact us via our support portal.
>
> Regards,
> Timo
>
> On 11.12.21 06:45, narasimha wrote:
> > Folks, what about the veverica platform. Is there any
> mitigation around it?
> >
> > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <chesnay@apache.org
> > <ma...@apache.org>> wrote:
> >
> > I would recommend to modify your log4j configurations to set
> > log4j2.formatMsgNoLookups to true/./
> > /
> > /
> > As far as I can tell this is equivalent to upgrading log4j, which
> > just disabled this lookup by default.
> > /
> > /
> > On 10/12/2021 10:21, Richard Deurwaarder wrote:
> >> Hello,
> >>
> >> There has been a log4j2 vulnerability made public
> >> https://www.randori.com/blog/cve-2021-44228/
> <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>
> >> <https://www.randori.com/blog/cve-2021-44228/
> <https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>>
> which is making
> >> some waves :)
> >> This post even explicitly mentions Apache Flink:
> >>
> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
> <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>
> >> <
> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
> <https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>
> >
> >>
> >> And fortunately, I saw this was already on your radar:
> >> https://issues.apache.org/jira/browse/FLINK-25240
> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>
> >> <https://issues.apache.org/jira/browse/FLINK-25240
> <https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>
> >
> >>
> >> What would the advice be for flink users? Do you expect to push a
> >> minor to fix this? Or is it advisable to upgrade to the latest
> >> log4j2 version manually for now?
> >>
> >> Thanks for any advice!
> >
> >
> >
> >
> > --
> > A.Narasimha Swamy
>
>
>
>
>
>
> --
>
> A.Narasimha Swamy
>
>
>
>
>
>
>
>
>
> --
>
> Regards,
> Parag Surajmal Somani.
>
>
>
>
>
>
> --
>
> A.Narasimha Swamy
>
>