Hi, When can we expect the flink 1.12 releases with log4j 2.17.1?
Thanks, Suchithra From: Martijn Visser <mart...@ververica.com> Sent: Thursday, January 6, 2022 7:45 PM To: patrick.eif...@sony.com Cc: David Morávek <d...@apache.org>; swamy.haj...@gmail.com; subharaj.ma...@gmail.com; V N, Suchithra (Nokia - IN/Bangalore) <suchithra....@nokia.com>; Chesnay Schepler <ches...@apache.org>; User <user@flink.apache.org>; Michael Guterl <gute...@justin.tv>; Richard Deurwaarder <rich...@xeli.eu>; Parag Somani <somanipa...@gmail.com> Subject: Re: CVE-2021-44228 - Log4j2 vulnerability Hi all, The ticket for upgrading Log4J to 2.17.0 is https://issues.apache.org/jira/browse/FLINK-25375. There's also the update to Log4j 2.17.1 which is tracked under https://issues.apache.org/jira/browse/FLINK-25472 As you can see, both have a fix version set to 1.14.3 and 1.13.6. These versions haven't been released yet. Flink 1.14.3 is in preparation, this hasn't started yet for Flink 1.13.6. Best regards, Martijn On Thu, 6 Jan 2022 at 15:05, <patrick.eif...@sony.com<mailto:patrick.eif...@sony.com>> wrote: Hi, just to be sure: Which Flink Releases for 1.14 and 1.13 have the upgraded log4j version 2.17.0? Are those already deployed to docker? Many Thanks in Advance. Kind Regards, Patrick -- Patrick Eifler Senior Software Engineer (BI) Cloud Gaming Engineering & Infrastructure Sony Interactive Entertainment LLC Wilhelmstraße 118, 10963 Berlin Germany E: patrick.eif...@sony.com<mailto:patrick.eif...@sony.com> From: David Morávek <d...@apache.org<mailto:d...@apache.org>> Date: Wednesday, 29. December 2021 at 09:35 To: narasimha <swamy.haj...@gmail.com<mailto:swamy.haj...@gmail.com>> Cc: Debraj Manna <subharaj.ma...@gmail.com<mailto:subharaj.ma...@gmail.com>>, Martijn Visser <mart...@ververica.com<mailto:mart...@ververica.com>>, V N, Suchithra (Nokia - IN/Bangalore) <suchithra....@nokia.com<mailto:suchithra....@nokia.com>>, Chesnay Schepler <ches...@apache.org<mailto:ches...@apache.org>>, user <user@flink.apache.org<mailto:user@flink.apache.org>>, Michael Guterl <gute...@justin.tv<mailto:gute...@justin.tv>>, Richard Deurwaarder <rich...@xeli.eu<mailto:rich...@xeli.eu>>, Parag Somani <somanipa...@gmail.com<mailto:somanipa...@gmail.com>> Subject: Re: CVE-2021-44228 - Log4j2 vulnerability Please follow the above mentioned ML thread for more details. Please note that this is a REGULAR release that is not motivated by the log4j CVE, so the stability of the release is the more important factor then having it out as soon as possible. D. On Mon, Dec 27, 2021 at 6:33 AM narasimha <swamy.haj...@gmail.com<mailto:swamy.haj...@gmail.com>> wrote: Hi folks, When can we expect the release to be made available to the community? On Wed, Dec 22, 2021 at 3:07 PM David Morávek <d...@apache.org<mailto:d...@apache.org>> wrote: Hi Debraj, we're currently not planning another emergency release as this CVE is not as critical for Flink users as the previous one. However, this patch will be included in all upcoming patch & minor releases. The patch release for the 1.14.x branch is already in progress [1] (it may be bit delayed due to the holiday season). [1] https://lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk<https://urldefense.com/v3/__https:/lists.apache.org/thread/24v8bh3jww7c5bvfgov9cp5mb0wtj7tk__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hRKh5TRwA$> Best, D. On Wed, Dec 22, 2021 at 7:02 AM Debraj Manna <subharaj.ma...@gmail.com<mailto:subharaj.ma...@gmail.com>> wrote: Any idea when can we expect https://issues.apache.org/jira/browse/FLINK-25375<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$> to be released? On Mon, Dec 20, 2021 at 8:18 PM Martijn Visser <mart...@ververica.com<mailto:mart...@ververica.com>> wrote: Hi, The status and Flink ticket for upgrading to Log4j 2.17.0 can be tracked at https://issues.apache.org/jira/browse/FLINK-25375<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25375__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQwiEO9Lg$>. Best regards, Martijn On Sat, 18 Dec 2021 at 16:50, V N, Suchithra (Nokia - IN/Bangalore) <suchithra....@nokia.com<mailto:suchithra....@nokia.com>> wrote: Hi, It seems there is high severity vulnerability in log4j 2.16.0.(CVE-2021-45105<https://urldefense.com/v3/__https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQxXtq_BQ$>) Refer : https://logging.apache.org/log4j/2.x/security.html<https://urldefense.com/v3/__https:/logging.apache.org/log4j/2.x/security.html__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hScVJh0Lw$> Any update on this please? Regards, Suchithra From: Chesnay Schepler <ches...@apache.org<mailto:ches...@apache.org>> Sent: Thursday, December 16, 2021 4:35 PM To: Parag Somani <somanipa...@gmail.com<mailto:somanipa...@gmail.com>> Cc: Michael Guterl <gute...@justin.tv<mailto:gute...@justin.tv>>; V N, Suchithra (Nokia - IN/Bangalore) <suchithra....@nokia.com<mailto:suchithra....@nokia.com>>; Richard Deurwaarder <rich...@xeli.eu<mailto:rich...@xeli.eu>>; user <user@flink.apache.org<mailto:user@flink.apache.org>> Subject: Re: CVE-2021-44228 - Log4j2 vulnerability We will announce the releases when the binaries are available. On 16/12/2021 05:37, Parag Somani wrote: Thank you Chesnay for expediting this fix...! Can you suggest, when can I get binaries for 1.14.2 flink version? On Thu, Dec 16, 2021 at 5:52 AM Chesnay Schepler <ches...@apache.org<mailto:ches...@apache.org>> wrote: We will push docker images for all new releases, yes. On 16/12/2021 01:16, Michael Guterl wrote: Will you all be pushing Docker images for the 1.11.6 release? On Wed, Dec 15, 2021 at 3:26 AM Chesnay Schepler <ches...@apache.org<mailto:ches...@apache.org>> wrote: The current ETA is 40h for an official announcement. We are validating the release today (concludes in 16h), publish it tonight, then wait for mirrors to be sync (about a day), then we announce it. On 15/12/2021 12:08, V N, Suchithra (Nokia - IN/Bangalore) wrote: Hello, Could you please tell when we can expect Flink 1.12.7 release? We are waiting for the CVE fix. Regards, Suchithra From: Chesnay Schepler <ches...@apache.org><mailto:ches...@apache.org> Sent: Wednesday, December 15, 2021 4:04 PM To: Richard Deurwaarder <rich...@xeli.eu><mailto:rich...@xeli.eu> Cc: user <user@flink.apache.org><mailto:user@flink.apache.org> Subject: Re: CVE-2021-44228 - Log4j2 vulnerability We will also update the docker images. On 15/12/2021 11:29, Richard Deurwaarder wrote: Thanks for picking this up quickly! I saw you've made a second minor upgrade to upgrade to log4j2 2.16 which is perfect. Just to clarify: Will you also push new docker images for these releases as well? In particular flink 1.11.6 (Sorry we must upgrade soon! :() On Tue, Dec 14, 2021 at 2:33 AM narasimha <swamy.haj...@gmail.com<mailto:swamy.haj...@gmail.com>> wrote: Thanks TImo, that was helpful. On Mon, Dec 13, 2021 at 7:19 PM Prasanna kumar <prasannakumarram...@gmail.com<mailto:prasannakumarram...@gmail.com>> wrote: Chesnay Thank you for the clarification. On Mon, Dec 13, 2021 at 6:55 PM Chesnay Schepler <ches...@apache.org<mailto:ches...@apache.org>> wrote: The flink-shaded-zookeeper jars do not contain log4j. On 13/12/2021 14:11, Prasanna kumar wrote: Does Zookeeper have this vulnerability dependency ? I see references to log4j in Shaded Zookeeper jar included as part of the flink distribution. On Mon, Dec 13, 2021 at 1:40 PM Timo Walther <twal...@apache.org<mailto:twal...@apache.org>> wrote: While we are working to upgrade the affected dependencies of all components, we recommend users follow the advisory of the Apache Log4j Community. Also Ververica platform can be patched with a similar approach: To configure the JVMs used by Ververica Platform, you can pass custom Java options via the JAVA_TOOL_OPTIONS environment variable. Add the following to your platform values.yaml, or append to the existing value of JAVA_TOOL_OPTIONS if you are using it already there, then redeploy the platform with Helm: env: - name: JAVA_TOOL_OPTIONS value: -Dlog4j2.formatMsgNoLookups=true For any questions, please contact us via our support portal. Regards, Timo On 11.12.21 06:45, narasimha wrote: > Folks, what about the veverica platform. Is there any mitigation around it? > > On Fri, Dec 10, 2021 at 3:32 PM Chesnay Schepler > <ches...@apache.org<mailto:ches...@apache.org> > <mailto:ches...@apache.org<mailto:ches...@apache.org>>> wrote: > > I would recommend to modify your log4j configurations to set > log4j2.formatMsgNoLookups to true/./ > / > / > As far as I can tell this is equivalent to upgrading log4j, which > just disabled this lookup by default. > / > / > On 10/12/2021 10:21, Richard Deurwaarder wrote: >> Hello, >> >> There has been a log4j2 vulnerability made public >> >> https://www.randori.com/blog/cve-2021-44228/<https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$> >> >> <https://www.randori.com/blog/cve-2021-44228/<https://urldefense.com/v3/__https:/www.randori.com/blog/cve-2021-44228/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hT3zUr1cA$>> >> which is making >> some waves :) >> This post even explicitly mentions Apache Flink: >> >> https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/<https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$> >> >> <https://securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/<https://urldefense.com/v3/__https:/securityonline.info/apache-log4j2-remote-code-execution-vulnerability-alert/__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQ-1px2RQ$>> >> >> And fortunately, I saw this was already on your radar: >> >> https://issues.apache.org/jira/browse/FLINK-25240<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$> >> >> <https://issues.apache.org/jira/browse/FLINK-25240<https://urldefense.com/v3/__https:/issues.apache.org/jira/browse/FLINK-25240__;!!JmoZiZGBv3RvKRSx!s8Jk-O4daXoZsQqX4QpS0yP5qE9KVhB5B72pMd6rcmn61kP002Fpi5Qi_hQoveuE5g$>> >> >> What would the advice be for flink users? Do you expect to push a >> minor to fix this? Or is it advisable to upgrade to the latest >> log4j2 version manually for now? >> >> Thanks for any advice! > > > > > -- > A.Narasimha Swamy -- A.Narasimha Swamy -- Regards, Parag Surajmal Somani. -- A.Narasimha Swamy
