Apache Flink Log4j emergency releases
December 16, 2021 - Chesnay ScheplerThe Apache Flink community has released emergency bugfix versions of Apache Flink for the 1.11, 1.12, 1.13 and 1.14 series.
These releases only include a version upgrade for Log4j to address CVE-2021-44228 and CVE-2021-45046.
We highly recommend all users to upgrade to the respective patch release.
You can find the source and binaries on the updated Downloads page, and Docker images in the apache/flink dockerhub repository.
As a result of that certain artifacts are not yet available:
- Maven artifacts are currently being synced to Maven central and will become available over the next 24 hours.
- The 1.11.6/1.12.7 Python binaries will be published at a later date.
This post will be continously updated to reflect the latest state.
- 1.14.2
- 1.13.5
- 1.12.7
- 1.11.6
To clarify and avoid confusion: The 1.14.1 / 1.13.4 / 1.12.6 / 1.11.5 releases, which were supposed to only contain a Log4j upgrade to 2.15.0, were skipped because CVE-2021-45046 was discovered during the release publication. Some artifacts were published to Maven Central, but no source/binary releases nor Docker images are available for those versions.