[flink-web] branch asf-site updated: Add blog post about Log4j Zero Day

[kn...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

knaufk pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/flink-web.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new 4c7ca4b  Add blog post about Log4j Zero Day
4c7ca4b is described below

commit 4c7ca4b1c1a28d70501ee5c25d314a5cde713ce1
Author: Konstantin Knauf <kn...@gmail.com>
AuthorDate: Fri Dec 10 16:15:34 2021 +0100

    Add blog post about Log4j Zero Day
---
 _posts/2021-12-10-log4j-cve.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/_posts/2021-12-10-log4j-cve.md b/_posts/2021-12-10-log4j-cve.md
new file mode 100644
index 0000000..574ec66
--- /dev/null
+++ b/_posts/2021-12-10-log4j-cve.md
@@ -0,0 +1,21 @@
+---
+layout: post
+title: "Advise on Apache Log4j Zero Day (CVE-2021-44228)"
+date: 2021-12-10 00:00:00
+authors:
+- knaufk:
+  name: "Konstantin Knauf"
+excerpt: "Advise on Apache Log4j Zero Day (CVE-2021-44228)"
+---
+
+Yesterday, a new Zero Day for Apache Log4j was [reported](https://www.cyberkendra.com/2021/12/apache-log4j-vulnerability-details-and.html). 
+It is by now tracked under [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228). 
+
+Apache Flink is bundling a version of Log4j that is affeced by this vulnerability. 
+We recommend users to follow the [adivsory](https://logging.apache.org/log4j/2.x/security.html) of the Apache Log4j Community. 
+For Apache Flink this currently translates to "setting system property `log4j2.formatMsgNoLookups` to `true`" until Log4j has been upgraded to 2.15.0 in Apache Flink. 
+
+This effort is tracked in [FLINK-25240](https://issues.apache.org/jira/browse/FLINK-25240). 
+It will be included in Flink 1.15.0, Flink 1.14.1 and Flink 1.13.3.
+We expect Flink 1.14.1 to be released in the next 1-2 weeks.
+The other releases will follow in their regular cadence.