Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-25394

[Flink-ML] Upgrade log4j to 2.17.0 to address CVE-2021-45105

    XMLWordPrintableJSON

Details

    Description

      Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.

      Attachments

        Issue Links

          Activity

            People

              Abdelrahman-ik Abdelrahman
              Abdelrahman-ik Abdelrahman
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: