Hi Till, I think it would be great if we could achieve this so that Flink would be 'hardened' by default. Hopefully someone in the community has some ideas how.
Best regards, Martijn On Tue, 4 Jan 2022 at 13:19, Till Rohrmann <trohrm...@apache.org> wrote: > Hi everyone, > > With the latest CVEs around log4j, we have seen that certain functionality > of the JVM can be quite dangerous. Concretely, the JNDI functionality [1] > seems to open quite a large attack vector against JVMs which has been used > in the log4j CVE case. > > In order to avoid these kinds of security issues, Stephan had the idea of > looking into disabling the JNDI functionality by default. It is not clear > whether this is easily doable but there exist some projects that do it for > dedicated libraries [2]. > > That is why I wanted to reach out to the community to ask for help with > this issue. Maybe you have encountered a similar problem in a different > context and know how to deal with these issues. > > [1] > > https://docs.oracle.com/javase/jndi/tutorial/getStarted/overview/index.html#:~:text=The%20Java%20Naming%20and%20Directory,any%20specific%20directory%20service%20implementation > . > [2] https://github.com/nccgroup/log4j-jndi-be-gone > > Cheers, > Till >
