Apache Flink Log4j emergency releases

16 Dec 2021 Chesnay Schepler

The Apache Flink community has released emergency bugfix versions of Apache Flink for the 1.11, 1.12, 1.13 and 1.14 series.

These releases only include a version upgrade for Log4j to address CVE-2021-44228 and CVE-2021-45046.

We highly recommend all users to upgrade to the respective patch release.

You can find the source and binaries on the updated Downloads page, and Docker images in the apache/flink dockerhub repository.

We are publishing this announcement earlier than usual to give users access to the updated source/binary releases as soon as possible.

As a result of that certain artifacts are not yet available:

  • Maven artifacts are currently being synced to Maven central and will become available over the next 24 hours.
  • The 1.11.6/1.12.7 Python binaries will be published at a later date.

This post will be continously updated to reflect the latest state.

The newly released versions are:

  • 1.14.2
  • 1.13.5
  • 1.12.7
  • 1.11.6

To clarify and avoid confusion: The 1.14.1 / 1.13.4 / 1.12.6 / 1.11.5 releases, which were supposed to only contain a Log4j upgrade to 2.15.0, were skipped because CVE-2021-45046 was discovered during the release publication. Some artifacts were published to Maven Central, but no source/binary releases nor Docker images are available for those versions.