This is an automated email from the ASF dual-hosted git repository. knaufk pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/flink-web.git
commit b17c8c568053ef2c2731beec9e46fc6b1ca9e71f Author: Konstantin Knauf <knauf.konstan...@gmail.com> AuthorDate: Fri Dec 10 17:36:01 2021 +0100 [hotfix] fix yptos in Log4j CVE blog post --- _posts/2021-12-10-log4j-cve.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/_posts/2021-12-10-log4j-cve.md b/_posts/2021-12-10-log4j-cve.md index 574ec66..deaafe0 100644 --- a/_posts/2021-12-10-log4j-cve.md +++ b/_posts/2021-12-10-log4j-cve.md @@ -5,14 +5,14 @@ date: 2021-12-10 00:00:00 authors: - knaufk: name: "Konstantin Knauf" -excerpt: "Advise on Apache Log4j Zero Day (CVE-2021-44228)" +excerpt: "Apache Flink is affected by an Apache Log4j Zero Day (CVE-2021-44228). This blog post contains advise for users on how to address this." --- Yesterday, a new Zero Day for Apache Log4j was [reported](https://www.cyberkendra.com/2021/12/apache-log4j-vulnerability-details-and.html). It is by now tracked under [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228). -Apache Flink is bundling a version of Log4j that is affeced by this vulnerability. -We recommend users to follow the [adivsory](https://logging.apache.org/log4j/2.x/security.html) of the Apache Log4j Community. +Apache Flink is bundling a version of Log4j that is affected by this vulnerability. +We recommend users to follow the [advisory](https://logging.apache.org/log4j/2.x/security.html) of the Apache Log4j Community. For Apache Flink this currently translates to "setting system property `log4j2.formatMsgNoLookups` to `true`" until Log4j has been upgraded to 2.15.0 in Apache Flink. This effort is tracked in [FLINK-25240](https://issues.apache.org/jira/browse/FLINK-25240).