Skip to content

Update log4j to fix RCE zero day. #714

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 15, 2021
Merged

Update log4j to fix RCE zero day. #714

merged 1 commit into from
Dec 15, 2021

Conversation

snuyanzin
Copy link
Contributor

2.0 <= Apache log4j2 <= 2.14.1 have a RCE zero day.
https://www.lunasec.io/docs/blog/log4j-zero-day/

@leonardBang
Copy link
Contributor

@snuyanzin Thanks for the timely fix, LGTM

@leonardBang
Copy link
Contributor

@snuyanzin Could you update the version to 2.16.0 ? The Log4J team release a better version :
https://twitter.com/brunoborges/status/1470622226634268685?t=qfzL-7Ae9lloayVVUfCI9A&s=19

@snuyanzin
Copy link
Contributor Author

snuyanzin commented Dec 14, 2021
edited by leonardBang
Loading

@leonardBang , done

@leonardBang
Copy link
Contributor

@leonardBang , done

Cool, will merge once the CI passed.

@snuyanzin
Copy link
Contributor Author

suddenly it fails on mongo connector...

	at java.lang.Thread.sleep(Native Method)
	at com.ververica.cdc.connectors.mongodb.table.MongoDBConnectorITCase.waitForSinkSize(MongoDBConnectorITCase.java:480)
	at com.ververica.cdc.connectors.mongodb.table.MongoDBConnectorITCase.testConsumingAllEvents(MongoDBConnectorITCase.java:149)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

now sure it is related to log4j updates..
Is there a way to restart the build to see if it is reproducible?

@GOODBOY008
Copy link
Member

GOODBOY008 commented Dec 14, 2021
edited
Loading 

	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

Mongodb connector test sometimes to fail.I had create a issue for this.

@snuyanzin @leonardBang
Update to log4j2 to 2.16.0
5d4f0bb 
Update log4j

2.0 <= Apache log4j2 <= 2.14.1 have a RCE zero day.
https://www.lunasec.io/docs/blog/log4j-zero-day/
@leonardBang leonardBang merged commit 9838cae into apache:master Dec 15, 2021
@leonardBang
Copy link
Contributor

leonardBang commented Dec 15, 2021
edited
Loading

Note: Fink CDC Project only uses log4j2 in test and won‘t package the log4j2 dependency which means Flink CDC connector won't be influenced by CVE-2021-44228/CVE-2021-45046.

leonardBang pushed a commit to leonardBang/flink-cdc-connectors that referenced this pull request Dec 16, 2021
@snuyanzin @leonardBang
[build] Bump log4j2 version to 2.16.0 (apache#714)
d9c5083
leonardBang pushed a commit that referenced this pull request Dec 16, 2021
@snuyanzin @leonardBang
[build] Bump log4j2 version to 2.16.0 (#714)
57a5679
@leonardBang leonardBang added this to the V2.2.0 milestone Dec 17, 2021
@GOODBOY008 GOODBOY008 mentioned this pull request Dec 17, 2021
Closed
ChaomingZhangCN pushed a commit to ChaomingZhangCN/flink-cdc that referenced this pull request Jan 13, 2025
@snuyanzin
[build] Bump log4j2 version to 2.16.0 (apache#714)
e4c7a0f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
V2.2.0
Development

Successfully merging this pull request may close these issues.
3 participants
@snuyanzin @leonardBang @GOODBOY008