Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-21670

Bump log4j versions (two places - 2.8.2 for Python, 2.13.2 elsewhere)

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Won't Fix
    • None
    • None
    • Build System
    • None

    Description

      Hey everyone, another Twistlock scan done and, in the same manner as https://issues.apache.org/jira/browse/STORM-2528, it appears the Flink Python jar's impacted

       

      Apparently we're using version 2.6.2 and bumping to 2.8.2 should be sufficient to remediate at least this potential problem https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5645

       

      I've done this scan against both 1.13 and 1.12.2, so ideally should be fixed in both if possible please.

       

       

      Also while on the subject of log4j, this time not for the Flink Python jar, bumping to 2.13.2 of org.apache.logging.log4j_log4j-api from 2.12.1 should fix CVE-2020-9488 (the file in question picked up is "/opt/flink/lib/log4j-api-2.12.1.jar).

       

      Cheers!

      Attachments

        Issue Links

          is related to

          Improvement - An improvement or enhancement to an existing feature or task. FLINK-21411 The components on which Flink depends may contain vulnerabilities. If yes, fix them.

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              aroberts Adam Roberts
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: