[
https://issues.apache.org/jira/browse/BEAM-14069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17511361#comment-17511361
]
Ohad Pinchevsky commented on BEAM-14069:
----------------------------------------
Raised to P1 - also we see other issues in description
> Traces of Log4j 1.x inside of beam-runners-flink-1.13-job-server-2.36.0.jar
> ----------------------------------------------------------------------------
>
> Key: BEAM-14069
> URL: https://issues.apache.org/jira/browse/BEAM-14069
> Project: Beam
> Issue Type: Bug
> Components: runner-flink
> Affects Versions: 2.36.0
> Reporter: Ohad Pinchevsky
> Priority: P1
>
> Log4j 1.x is EOL, still traces of it found inside
> beam-runners-flink-1.13-job-server-2.36.0.jar
> Path to pom.xml with that version:
> /beam-runners-flink-1.13-job-server-2.36.0/META-INF/maven/log4j/log4j/pom.xml
> Inside version tag: 1.2.17
>
> Also SpotBugs Annotations4.0.0-beta1
> Apache Log4j JNDI features used in configuration, log messages, and
> parameters do not protect against attacker controlled LDAP and other JNDI
> related endpoints. An attacker who can control log messages or log message
> parameters can execute arbitrary code loaded from LDAP servers when message
> lookup substitution is enabled. [CVE-2021-44228]
> Vendor Affected Components:
> SpotBugs ≤ 4.5.1
>
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
