Dear Flink Community, Yesterday, a new Zero Day for Apache Log4j was reported [1]. It is now tracked under CVE-2021-44228 [2].
Apache Flink bundles a version of Log4j that is affected by this vulnerability. We recommend users to follow the advisory [3] of the Apache Log4j Community. For Apache Flink this currently translates to “setting system property log4j2.formatMsgNoLookups to true” until Log4j has been upgraded to 2.15.0 in Apache Flink. This effort is tracked in FLINK-25240 [4]. It will be included in Flink 1.15.0, Flink 1.14.1 and Flink 1.13.3. We expect Flink 1.14.1 to be released in the next 1-2 weeks. The other releases will follow in their regular cadence. This advice has also been published on the Apache Flink blog https://flink.apache.org/2021/12/10/log4j-cve.html. Best, Konstantin [1] https://www.cyberkendra.com/2021/12/apache-log4j-vulnerability-details-and.html [2] https://nvd.nist.gov/vuln/detail/CVE-2021-44228 [3] https://logging.apache.org/log4j/2.x/security.html [4] https://issues.apache.org/jira/browse/FLINK-25240 -- Konstantin Knauf https://twitter.com/snntrable https://github.com/knaufk