[jira] [Updated] (FLINK-21670) Bump log4j version to 2.8.2

Mon, 08 Mar 2021 07:54:05 -0800 


     [ 
https://issues.apache.org/jira/browse/FLINK-21670?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Adam Roberts updated FLINK-21670:
---------------------------------
    Description: 
Hey everyone, another Twistlock scan done and, in the same manner as 
https://issues.apache.org/jira/browse/STORM-2528, it appears the Flink Python 
jar's impacted

 

Apparently we're using version 2.6.2 and bumping to 2.8.2 should be sufficient 
to remediate at least this potential problem 
[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5645]

 

I've done this scan against both 1.13 and 1.12.2, so ideally should be fixed in 
both if possible please.

 

 

Also while on the subject of log4j, this time not for the Flink Python jar, 
bumping to 2.13.2 of org.apache.logging.log4j_log4j-api from 2.12.1 should fix 
CVE-2020-9488 (the file in question picked up is 
"/opt/flink/lib/log4j-api-2.12.1.jar).

 

Cheers!

  was:
Hey everyone, another Twistlock scan done and, in the same manner as 
https://issues.apache.org/jira/browse/STORM-2528, it appears the Flink Python 
jar's impacted

 

Apparently we're using version 2.6.2 and bumping to 2.8.2 should be sufficient 
to remediate at least this potential problem 
[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5645]

 

I've done this scan against both 1.13 and 1.12.2, so ideally should be fixed in 
both if possible please. Cheers!


> Bump log4j version to 2.8.2
> ---------------------------
>
>                 Key: FLINK-21670
>                 URL: https://issues.apache.org/jira/browse/FLINK-21670
>             Project: Flink
>          Issue Type: Bug
>            Reporter: Adam Roberts
>            Priority: Minor
>
> Hey everyone, another Twistlock scan done and, in the same manner as 
> https://issues.apache.org/jira/browse/STORM-2528, it appears the Flink Python 
> jar's impacted
>  
> Apparently we're using version 2.6.2 and bumping to 2.8.2 should be 
> sufficient to remediate at least this potential problem 
> [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5645]
>  
> I've done this scan against both 1.13 and 1.12.2, so ideally should be fixed 
> in both if possible please.
>  
>  
> Also while on the subject of log4j, this time not for the Flink Python jar, 
> bumping to 2.13.2 of org.apache.logging.log4j_log4j-api from 2.12.1 should 
> fix CVE-2020-9488 (the file in question picked up is 
> "/opt/flink/lib/log4j-api-2.12.1.jar).
>  
> Cheers!



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to