You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@flink.apache.org by "V N, Suchithra (Nokia - IN/Bangalore)" <su...@nokia.com> on 2021/12/18 17:27:41 UTC

RE: Suspected SPAM - RE: CVE-2021-44228 - Log4j2 vulnerability

Hi,

We are using  hadoop2 uber jar provided by flink. As there are many CVE’s being reported for logging, any CVE’s appliable to this uber jar?
https://repo.maven.apache.org/maven2/org/apache/flink/flink-shaded-hadoop-2-uber/2.7.5-10.0/flink-shaded-hadoop-2-uber-2.7.5-10.0.jar

Thanks,
Suchithra

From: V N, Suchithra (Nokia - IN/Bangalore) <su...@nokia.com>
Sent: Saturday, December 18, 2021 9:20 PM
To: Chesnay Schepler <ch...@apache.org>; user <us...@flink.apache.org>
Cc: Michael Guterl <gu...@justin.tv>; Richard Deurwaarder <ri...@xeli.eu>; Parag Somani <so...@gmail.com>
Subject: Suspected SPAM - RE: CVE-2021-44228 - Log4j2 vulnerability

Hi,

It seems there is high severity vulnerability in log4j 2.16.0.(CVE-2021-45105<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>)
Refer : https://logging.apache.org/log4j/2.x/security.html
Any update on this please?

Regards,
Suchithra

From: Chesnay Schepler <ch...@apache.org>>
Sent: Thursday, December 16, 2021 4:35 PM
To: Parag Somani <so...@gmail.com>>
Cc: Michael Guterl <gu...@justin.tv>>; V N, Suchithra (Nokia - IN/Bangalore) <su...@nokia.com>>; Richard Deurwaarder <ri...@xeli.eu>>; user <us...@flink.apache.org>>
Subject: Re: CVE-2021-44228 - Log4j2 vulnerability

We will announce the releases when the binaries are available.

On 16/12/2021 05:37, Parag Somani wrote:
Thank you Chesnay for expediting this fix...!

Can you suggest, when can I get binaries for 1.14.2 flink version?

On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ch...@apache.org>> wrote:
We will push docker images for all new releases, yes.

On 16/12/2021 01:16, Michael Guterl wrote:
Will you all be pushing Docker images for the 1.11.6 release?

On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler <ch...@apache.org>> wrote:
The current ETA is 40h for an official announcement.
We are validating the release today (concludes in 16h), publish it tonight, then wait for mirrors to be sync (about a day), then we announce it.

On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote:
Hello,

Could you please tell when we can expect Flink 1.12.7 release? We are waiting for the CVE fix.

Regards,
Suchithra


From: Chesnay Schepler <ch...@apache.org>
Sent: Wednesday, December 15, 2021 4:04 PM
To: Richard Deurwaarder <ri...@xeli.eu>
Cc: user <us...@flink.apache.org>
Subject: Re: CVE-2021-44228 - Log4j2 vulnerability

We will also update the docker images.

On 15/12/2021 11:29, Richard Deurwaarder wrote:
Thanks for picking this up quickly!

I saw you've made a second minor upgrade to upgrade to log4j2 2.16 which is perfect.

Just to clarify: Will you also push new docker images for these releases as well? In particular flink 1.11.6 (Sorry we must upgrade soon! :()

On Tue, Dec 14, 2021 at 2:33 AM narasimha <sw...@gmail.com>> wrote:
Thanks TImo, that was helpful.

On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar <pr...@gmail.com>> wrote:
Chesnay Thank you for the clarification.

On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ch...@apache.org>> wrote:
The flink-shaded-zookeeper jars do not contain log4j.

On 13/12/2021 14:11, Prasanna kumar wrote:
Does Zookeeper have this vulnerability dependency ? I see references to log4j in Shaded Zookeeper jar included as part of the flink distribution.

On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <tw...@apache.org>> wrote:
While we are working to upgrade the affected dependencies of all
components, we recommend users follow the advisory of the Apache Log4j
Community. Also Ververica platform can be patched with a similar approach:

To configure the JVMs used by Ververica Platform, you can pass custom
Java options via the JAVA_TOOL_OPTIONS environment variable. Add the
following to your platform values.yaml, or append to the existing value
of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy
the platform with Helm:
env:
   - name: JAVA_TOOL_OPTIONS
     value: -Dlog4j2.formatMsgNoLookups=true


For any questions, please contact us via our support portal.

Regards,
Timo

On 11.12.21 06:45, narasimha wrote:
> Folks, what about the veverica platform. Is there any mitigation around it?
>
> On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <ch...@apache.org>
> <ma...@apache.org>>> wrote:
>
>     I would recommend to modify your log4j configurations to set
>     log4j2.formatMsgNoLookups to true/./
>     /
>     /
>     As far as I can tell this is equivalent to upgrading log4j, which
>     just disabled this lookup by default.
>     /
>     /
>     On 10/12/2021 10:21, Richard Deurwaarder wrote:
>>     Hello,
>>
>>     There has been a log4j2 vulnerability made public
>>     https://www.randori.com/blog/cve-2021-44228/
>>     <https://www.randori.com/blog/cve-2021-44228/> which is making
>>     some waves :)
>>     This post even explicitly mentions Apache Flink:
>>     https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
>>     <https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/>
>>
>>     And fortunately, I saw this was already on your radar:
>>     https://issues.apache.org/jira/browse/FLINK-25240
>>     <https://issues.apache.org/jira/browse/FLINK-25240>
>>
>>     What would the advice be for flink users? Do you expect to push a
>>     minor to fix this? Or is it advisable to upgrade to the latest
>>     log4j2 version manually for now?
>>
>>     Thanks for any advice!
>
>
>
>
> --
> A.Narasimha Swamy




--
A.Narasimha Swamy








--
Regards,
Parag Surajmal Somani.