You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@flink.apache.org by Konstantin Knauf <kn...@apache.org> on 2021/12/10 16:39:59 UTC

Advise on Apache Log4j Zero Day (CVE-2021-44228)

Dear Flink Community,

Yesterday, a new Zero Day for Apache Log4j was reported [1]. It is now
tracked under CVE-2021-44228 [2].

Apache Flink bundles a version of Log4j that is affected by this
vulnerability. We recommend users to follow the advisory [3] of the Apache
Log4j Community. For Apache Flink this currently translates to “setting
system property log4j2.formatMsgNoLookups to true” until Log4j has been
upgraded to 2.15.0 in Apache Flink.

This effort is tracked in FLINK-25240 [4]. It will be included in Flink
1.15.0, Flink 1.14.1 and Flink 1.13.3. We expect Flink 1.14.1 to be
released in the next 1-2 weeks. The other releases will follow in their
regular cadence.

This advice has also been published on the Apache Flink blog
https://flink.apache.org/2021/12/10/log4j-cve.html.

Best,

Konstantin

[1]
https://www.cyberkendra.com/2021/12/apache-log4j-vulnerability-details-and.html
[2] https://nvd.nist.gov/vuln/detail/CVE-2021-44228
[3] https://logging.apache.org/log4j/2.x/security.html
[4] https://issues.apache.org/jira/browse/FLINK-25240

-- 

Konstantin Knauf

https://twitter.com/snntrable

https://github.com/knaufk