Advise on Apache Log4j Zero Day (CVE-2021-44228)

10 Dec 2021 Konstantin Knauf

Please see this for our updated recommendation regarding this CVE.

Yesterday, a new Zero Day for Apache Log4j was reported. It is by now tracked under CVE-2021-44228.

Apache Flink is bundling a version of Log4j that is affected by this vulnerability. We recommend users to follow the advisory of the Apache Log4j Community. For Apache Flink this currently translates to setting the following property in your flink-conf.yaml:

env.java.opts: -Dlog4j2.formatMsgNoLookups=true

If you are already setting env.java.opts.jobmanager, env.java.opts.taskmanager, env.java.opts.client, or env.java.opts.historyserver you should instead add the system change to those existing parameter lists.

As soon as Log4j has been upgraded to 2.15.0 in Apache Flink, this is not necessary anymore. This effort is tracked in FLINK-25240. It will be included in Flink 1.15.0, Flink 1.14.1 and Flink 1.13.3. We expect Flink 1.14.1 to be released in the next 1-2 weeks. The other releases will follow in their regular cadence.