You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@flink.apache.org by sj...@apache.org on 2021/12/10 19:46:50 UTC

[flink-web] branch asf-site updated (f00f0e8 -> e89e37d)

This is an automated email from the ASF dual-hosted git repository.

sjwiesman pushed a change to branch asf-site
in repository https://gitbox.apache.org/repos/asf/flink-web.git.


    from f00f0e8  rebuild website
     new 59d18f5  clarified flink config in log4j cve blog post
     new e89e37d  rebuild website

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 _posts/2021-12-10-log4j-cve.md    | 9 ++++++++-
 content/2021/12/10/log4j-cve.html | 9 +++++++--
 content/blog/feed.xml             | 9 +++++++--
 3 files changed, 22 insertions(+), 5 deletions(-)

[flink-web] 02/02: rebuild website

Posted by sj...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

sjwiesman pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/flink-web.git

commit e89e37d16c1438847a35fe987b0d2ab4bd61ac43
Author: Konstantin Knauf <kn...@gmail.com>
AuthorDate: Fri Dec 10 20:33:49 2021 +0100

    rebuild website
---
 content/2021/12/10/log4j-cve.html | 9 +++++++--
 content/blog/feed.xml             | 9 +++++++--
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/content/2021/12/10/log4j-cve.html b/content/2021/12/10/log4j-cve.html
index e7f27e9..11b8a9e 100644
--- a/content/2021/12/10/log4j-cve.html
+++ b/content/2021/12/10/log4j-cve.html
@@ -206,9 +206,14 @@ It is by now tracked under <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44
 
 <p>Apache Flink is bundling a version of Log4j that is affected by this vulnerability. 
 We recommend users to follow the <a href="https://logging.apache.org/log4j/2.x/security.html">advisory</a> of the Apache Log4j Community. 
-For Apache Flink this currently translates to “setting system property <code>log4j2.formatMsgNoLookups</code> to <code>true</code>” until Log4j has been upgraded to 2.15.0 in Apache Flink.</p>
+For Apache Flink this currently translates to setting the following property in your flink-conf.yaml:</p>
 
-<p>This effort is tracked in <a href="https://issues.apache.org/jira/browse/FLINK-25240">FLINK-25240</a>. 
+<div class="highlight"><pre><code class="language-yaml"><span class="l-Scalar-Plain">env.java.opts</span><span class="p-Indicator">:</span> <span class="l-Scalar-Plain">-Dlog4j2.formatMsgNoLookups=true</span></code></pre></div>
+
+<p>If you are already setting <code>env.java.opts.jobmanager</code>, <code>env.java.opts.taskmanager</code>, <code>env.java.opts.client</code>, or <code>env.java.opts.historyserver</code> you should instead add the system change to those existing parameter lists.</p>
+
+<p>As soon as Log4j has been upgraded to 2.15.0 in Apache Flink, this is not necessary anymore. 
+This effort is tracked in <a href="https://issues.apache.org/jira/browse/FLINK-25240">FLINK-25240</a>. 
 It will be included in Flink 1.15.0, Flink 1.14.1 and Flink 1.13.3.
 We expect Flink 1.14.1 to be released in the next 1-2 weeks.
 The other releases will follow in their regular cadence.</p>
diff --git a/content/blog/feed.xml b/content/blog/feed.xml
index daa45f3..c666cb2 100644
--- a/content/blog/feed.xml
+++ b/content/blog/feed.xml
@@ -13,9 +13,14 @@ It is by now tracked under &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE
 
 &lt;p&gt;Apache Flink is bundling a version of Log4j that is affected by this vulnerability. 
 We recommend users to follow the &lt;a href=&quot;https://logging.apache.org/log4j/2.x/security.html&quot;&gt;advisory&lt;/a&gt; of the Apache Log4j Community. 
-For Apache Flink this currently translates to “setting system property &lt;code&gt;log4j2.formatMsgNoLookups&lt;/code&gt; to &lt;code&gt;true&lt;/code&gt;” until Log4j has been upgraded to 2.15.0 in Apache Flink.&lt;/p&gt;
+For Apache Flink this currently translates to setting the following property in your flink-conf.yaml:&lt;/p&gt;
 
-&lt;p&gt;This effort is tracked in &lt;a href=&quot;https://issues.apache.org/jira/browse/FLINK-25240&quot;&gt;FLINK-25240&lt;/a&gt;. 
+&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-yaml&quot;&gt;&lt;span class=&quot;l-Scalar-Plain&quot;&gt;env.java.opts&lt;/span&gt;&lt;span class=&quot;p-Indicator&quot;&gt;:&lt;/span&gt; &lt;span class=&quot;l-Scalar-Plain&quot;&gt;-Dlog4j2.formatMsgNoLookups=true&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;
+
+&lt;p&gt;If you are already setting &lt;code&gt;env.java.opts.jobmanager&lt;/code&gt;, &lt;code&gt;env.java.opts.taskmanager&lt;/code&gt;, &lt;code&gt;env.java.opts.client&lt;/code&gt;, or &lt;code&gt;env.java.opts.historyserver&lt;/code&gt; you should instead add the system change to those existing parameter lists.&lt;/p&gt;
+
+&lt;p&gt;As soon as Log4j has been upgraded to 2.15.0 in Apache Flink, this is not necessary anymore. 
+This effort is tracked in &lt;a href=&quot;https://issues.apache.org/jira/browse/FLINK-25240&quot;&gt;FLINK-25240&lt;/a&gt;. 
 It will be included in Flink 1.15.0, Flink 1.14.1 and Flink 1.13.3.
 We expect Flink 1.14.1 to be released in the next 1-2 weeks.
 The other releases will follow in their regular cadence.&lt;/p&gt;

[flink-web] 01/02: clarified flink config in log4j cve blog post

Posted by sj...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

sjwiesman pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/flink-web.git

commit 59d18f50205c45e50f9bf2beb731579b6d42ed54
Author: Konstantin Knauf <kn...@gmail.com>
AuthorDate: Fri Dec 10 20:30:56 2021 +0100

    clarified flink config in log4j cve blog post
---
 _posts/2021-12-10-log4j-cve.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/_posts/2021-12-10-log4j-cve.md b/_posts/2021-12-10-log4j-cve.md
index deaafe0..163036d 100644
--- a/_posts/2021-12-10-log4j-cve.md
+++ b/_posts/2021-12-10-log4j-cve.md
@@ -13,8 +13,15 @@ It is by now tracked under [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE
 
 Apache Flink is bundling a version of Log4j that is affected by this vulnerability. 
 We recommend users to follow the [advisory](https://logging.apache.org/log4j/2.x/security.html) of the Apache Log4j Community. 
-For Apache Flink this currently translates to "setting system property `log4j2.formatMsgNoLookups` to `true`" until Log4j has been upgraded to 2.15.0 in Apache Flink. 
+For Apache Flink this currently translates to setting the following property in your flink-conf.yaml:
 
+```yaml
+env.java.opts: -Dlog4j2.formatMsgNoLookups=true
+```
+
+If you are already setting `env.java.opts.jobmanager`, `env.java.opts.taskmanager`, `env.java.opts.client`, or `env.java.opts.historyserver` you should instead add the system change to those existing parameter lists.
+
+As soon as Log4j has been upgraded to 2.15.0 in Apache Flink, this is not necessary anymore. 
 This effort is tracked in [FLINK-25240](https://issues.apache.org/jira/browse/FLINK-25240). 
 It will be included in Flink 1.15.0, Flink 1.14.1 and Flink 1.13.3.
 We expect Flink 1.14.1 to be released in the next 1-2 weeks.