Thanks TImo, that was helpful. On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar < prasannakumarram...@gmail.com> wrote:
> Chesnay Thank you for the clarification. > > On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ches...@apache.org> > wrote: > >> The flink-shaded-zookeeper jars do not contain log4j. >> >> On 13/12/2021 14:11, Prasanna kumar wrote: >> >> Does Zookeeper have this vulnerability dependency ? I see references to >> log4j in Shaded Zookeeper jar included as part of the flink distribution. >> >> On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <twal...@apache.org> wrote: >> >>> While we are working to upgrade the affected dependencies of all >>> components, we recommend users follow the advisory of the Apache Log4j >>> Community. Also Ververica platform can be patched with a similar >>> approach: >>> >>> To configure the JVMs used by Ververica Platform, you can pass custom >>> Java options via the JAVA_TOOL_OPTIONS environment variable. Add the >>> following to your platform values.yaml, or append to the existing value >>> of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy >>> the platform with Helm: >>> env: >>> - name: JAVA_TOOL_OPTIONS >>> value: -Dlog4j2.formatMsgNoLookups=true >>> >>> >>> For any questions, please contact us via our support portal. >>> >>> Regards, >>> Timo >>> >>> On 11.12.21 06:45, narasimha wrote: >>> > Folks, what about the veverica platform. Is there any >>> mitigation around it? >>> > >>> > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler <ches...@apache.org >>> > <mailto:ches...@apache.org>> wrote: >>> > >>> > I would recommend to modify your log4j configurations to set >>> > log4j2.formatMsgNoLookups to true/./ >>> > / >>> > / >>> > As far as I can tell this is equivalent to upgrading log4j, which >>> > just disabled this lookup by default. >>> > / >>> > / >>> > On 10/12/2021 10:21, Richard Deurwaarder wrote: >>> >> Hello, >>> >> >>> >> There has been a log4j2 vulnerability made public >>> >> https://www.randori.com/blog/cve-2021-44228/ >>> >> <https://www.randori.com/blog/cve-2021-44228/> which is making >>> >> some waves :) >>> >> This post even explicitly mentions Apache Flink: >>> >> >>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/ >>> >> < >>> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/ >>> > >>> >> >>> >> And fortunately, I saw this was already on your radar: >>> >> https://issues.apache.org/jira/browse/FLINK-25240 >>> >> <https://issues.apache.org/jira/browse/FLINK-25240> >>> >> >>> >> What would the advice be for flink users? Do you expect to push a >>> >> minor to fix this? Or is it advisable to upgrade to the latest >>> >> log4j2 version manually for now? >>> >> >>> >> Thanks for any advice! >>> > >>> > >>> > >>> > >>> > -- >>> > A.Narasimha Swamy >>> >>> >> -- A.Narasimha Swamy
