[ https://issues.apache.org/jira/browse/BEAM-14069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17511361#comment-17511361 ]
Ohad Pinchevsky commented on BEAM-14069: ---------------------------------------- Raised to P1 - also we see other issues in description > Traces of Log4j 1.x inside of beam-runners-flink-1.13-job-server-2.36.0.jar > ---------------------------------------------------------------------------- > > Key: BEAM-14069 > URL: https://issues.apache.org/jira/browse/BEAM-14069 > Project: Beam > Issue Type: Bug > Components: runner-flink > Affects Versions: 2.36.0 > Reporter: Ohad Pinchevsky > Priority: P1 > > Log4j 1.x is EOL, still traces of it found inside > beam-runners-flink-1.13-job-server-2.36.0.jar > Path to pom.xml with that version: > /beam-runners-flink-1.13-job-server-2.36.0/META-INF/maven/log4j/log4j/pom.xml > Inside version tag: 1.2.17 > > Also SpotBugs Annotations4.0.0-beta1 > Apache Log4j JNDI features used in configuration, log messages, and > parameters do not protect against attacker controlled LDAP and other JNDI > related endpoints. An attacker who can control log messages or log message > parameters can execute arbitrary code loaded from LDAP servers when message > lookup substitution is enabled. [CVE-2021-44228] > Vendor Affected Components: > SpotBugs ≤ 4.5.1 > > -- This message was sent by Atlassian Jira (v8.20.1#820001)