I would recommend to modify your log4j configurations to set
log4j2.formatMsgNoLookups to true/./
/
/
As far as I can tell this is equivalent to upgrading log4j, which just
disabled this lookup by default.
/
/
On 10/12/2021 10:21, Richard Deurwaarder wrote:
Hello,
There has been a log4j2 vulnerability made public
https://www.randori.com/blog/cve-2021-44228/ which is making some waves :)
This post even explicitly mentions Apache Flink:
https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/
And fortunately, I saw this was already on your radar:
https://issues.apache.org/jira/browse/FLINK-25240
What would the advice be for flink users? Do you expect to push a
minor to fix this? Or is it advisable to upgrade to the latest log4j2
version manually for now?
Thanks for any advice!