[
https://issues.apache.org/jira/browse/FLINK-21670?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Adam Roberts updated FLINK-21670:
---------------------------------
Summary: Bump log4j versions (two places - 2.8.2 for Python, 2.13.2
elsewhere) (was: Bump log4j version to 2.8.2)
> Bump log4j versions (two places - 2.8.2 for Python, 2.13.2 elsewhere)
> ---------------------------------------------------------------------
>
> Key: FLINK-21670
> URL: https://issues.apache.org/jira/browse/FLINK-21670
> Project: Flink
> Issue Type: Bug
> Reporter: Adam Roberts
> Priority: Minor
>
> Hey everyone, another Twistlock scan done and, in the same manner as
> https://issues.apache.org/jira/browse/STORM-2528, it appears the Flink Python
> jar's impacted
>
> Apparently we're using version 2.6.2 and bumping to 2.8.2 should be
> sufficient to remediate at least this potential problem
> [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5645]
>
> I've done this scan against both 1.13 and 1.12.2, so ideally should be fixed
> in both if possible please.
>
>
> Also while on the subject of log4j, this time not for the Flink Python jar,
> bumping to 2.13.2 of org.apache.logging.log4j_log4j-api from 2.12.1 should
> fix CVE-2020-9488 (the file in question picked up is
> "/opt/flink/lib/log4j-api-2.12.1.jar).
>
> Cheers!
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
