最近,Apache Log4j 出现了新的”Zero Day“漏洞。目前已在 CVE-2021-44228 下对其进行跟踪。
Apache Flink 捆绑了受此漏洞影响的 Log4j 版本。我们建议用户遵循 Apache Log4j 社区的建议。对于 Apache Flink,在 flink-conf.yaml 中设置以下属性:
env.java.opts: -Dlog4j2.formatMsgNoLookups=true
如果您已经了设置 env.java.opts.jobmanager、env.java.opts.taskmanager、env.java.opts.client 或 env.java.opts.historyserver,您应该将系统更改添加到这些现有参数列表中。
一旦 Log4j 在 Apache Flink 中升级到 2.15.0,就不再需要了。FLINK-25240 中跟踪了这项工作。它将包含在 Flink 1.15.0、Flink 1.14.1 和 Flink 1.13.3 中。我们预计 Flink 1.14.1 将在未来 1-2 周内发布。其他版本将按照他们的常规节奏进行。
官网原文如下:
Yesterday, a new Zero Day for Apache Log4j was reported. It is by now tracked under CVE-2021-44228.
Apache Flink is bundling a version of Log4j that is affected by this vulnerability. We recommend users to follow the advisory of the Apache Log4j Community. For Apache Flink this currently translates to setting the following property in your flink-conf.yaml:
env.java.opts: -Dlog4j2.formatMsgNoLookups=true
If you are already setting env.java.opts.jobmanager, env.java.opts.taskmanager, env.java.opts.client, or env.java.opts.historyserver you should instead add the system change to those existing parameter lists.
As soon as Log4j has been upgraded to 2.15.0 in Apache Flink, this is not necessary anymore. This effort is tracked in FLINK-25240. It will be included in Flink 1.15.0, Flink 1.14.1 and Flink 1.13.3. We expect Flink 1.14.1 to be released in the next 1-2 weeks. The other releases will follow in their regular cadence.
