sjwiesman commented on a change in pull request #488: URL: https://github.com/apache/flink-web/pull/488#discussion_r766932872
########## File path: _posts/2021-12-10-log4j-cve.md ########## @@ -13,8 +13,15 @@ It is by now tracked under [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE Apache Flink is bundling a version of Log4j that is affected by this vulnerability. We recommend users to follow the [advisory](https://logging.apache.org/log4j/2.x/security.html) of the Apache Log4j Community. -For Apache Flink this currently translates to "setting system property `log4j2.formatMsgNoLookups` to `true`" until Log4j has been upgraded to 2.15.0 in Apache Flink. +For Apache Flink this currently translates to setting the following property in your flink-conf.yaml: +```yaml +env.java.opts: -Dlog4j2.formatMsgNoLookups=true +``` + +If you are already setting `env.java.opts.jobmanager` or `env.java.opts.taskmanager`, you should instead add the system change to those existing parameter lists. Review comment: ```suggestion If you are already setting `env.java.opts.jobmanager`, `env.java.opts.taskmanager`, `env.java.opts.client`, or `env.java.opts.historyserver` you should instead add the system change to those existing parameter lists. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@flink.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org