Apache Flink Log4j emergency releases

December 16, 2021 - Chesnay Schepler

The Apache Flink community has released emergency bugfix versions of Apache Flink for the 1.11, 1.12, 1.13 and 1.14 series.

These releases only include a version upgrade for Log4j to address CVE-2021-44228 and CVE-2021-45046.

We highly recommend all users to upgrade to the respective patch release.

You can find the source and binaries on the updated Downloads page, and Docker images in the apache/flink dockerhub repository.

We are publishing this announcement earlier than usual to give users access to the updated source/binary releases as soon as possible.

As a result of that certain artifacts are not yet available:

  • Maven artifacts are currently being synced to Maven central and will become available over the next 24 hours.
  • The 1.11.6/1.12.7 Python binaries will be published at a later date.

This post will be continously updated to reflect the latest state.

The newly released versions are:
  • 1.14.2
  • 1.13.5
  • 1.12.7
  • 1.11.6

To clarify and avoid confusion: The 1.14.1 / 1.13.4 / 1.12.6 / 1.11.5 releases, which were supposed to only contain a Log4j upgrade to 2.15.0, were skipped because CVE-2021-45046 was discovered during the release publication. Some artifacts were published to Maven Central, but no source/binary releases nor Docker images are available for those versions.