Hi, Context: - I am using flink 1.12.1 version for real time event processing. This flink uses log4j 2.12.1 version. But jar that i am uploading uses 2.17.0.
Now my assumption is that flink being generic in nature, does not log event specific data , logging it is responsibility of user specific code which is uploaded via jar. Since log4j vulnerability is caused by attacker sending malicious string which performs lookup to attacker server… Hence getting attacked by this string can only be possible (in my case) if malicious string is set as value to a key which is then logged by my code. But my uber jar uses log4j 2.17.0 version. So my doubt is whether there is any situation that i am missing because of which i should upgrade log4j version of cluster as well or just upgrading log4j version of my jar should suffice. Thanks, Puneet Duggal
