[
https://issues.apache.org/jira/browse/FLINK-25240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457103#comment-17457103
]
Martijn Visser commented on FLINK-25240:
----------------------------------------
As mentioned on the User mailing list, the recommendation is to "modify your
log4j configurations to set log4j2.formatMsgNoLookups to true"
https://lists.apache.org/thread/002zlhs1s3on742fwxz47k32vsmmj2wc
The advisory from Log4J is also out:
https://logging.apache.org/log4j/2.x/security.html which mentions this, plus
other mitigation possibilities.
We can therefore treat this update like a regular dependency update. I would
say update the dependency for 1.15 and backport to 1.14 and 1.13.
> Update log4j2 version to 2.15.0
> --------------------------------
>
> Key: FLINK-25240
> URL: https://issues.apache.org/jira/browse/FLINK-25240
> Project: Flink
> Issue Type: Improvement
> Components: API / Core
> Affects Versions: 1.13.0
> Reporter: Ada Wong
> Assignee: Ada Wong
> Priority: Blocker
> Labels: pull-request-available
> Fix For: 1.15.0, 1.14.1, 1.13.4
>
>
> 2.0 <= Apache log4j2 <= 2.14.1 have a RCE zero day.
> [https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html]
> https://www.lunasec.io/docs/blog/log4j-zero-day/
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
