You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@flink.apache.org by "Abdelrahman (Jira)" <ji...@apache.org> on 2021/12/20 16:06:00 UTC

[jira] [Created] (FLINK-25394) [Flink-ML] Upgrade log4j to 2.17.0 to address CVE-2021-45105

Abdelrahman created FLINK-25394:
-----------------------------------

             Summary: [Flink-ML] Upgrade log4j to 2.17.0 to address CVE-2021-45105
                 Key: FLINK-25394
                 URL: https://issues.apache.org/jira/browse/FLINK-25394
             Project: Flink
          Issue Type: Improvement
    Affects Versions: 1.14.2
            Reporter: Abdelrahman


Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)