Abdelrahman created FLINK-25394:
-----------------------------------
Summary: [Flink-ML] Upgrade log4j to 2.17.0 to address
CVE-2021-45105
Key: FLINK-25394
URL: https://issues.apache.org/jira/browse/FLINK-25394
Project: Flink
Issue Type: Improvement
Affects Versions: 1.14.2
Reporter: Abdelrahman
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from
uncontrolled recursion from self-referential lookups. When the logging
configuration uses a non-default Pattern Layout with a Context Lookup (for
example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC)
input data can craft malicious input data that contains a recursive lookup,
resulting in a StackOverflowError that will terminate the process. This is also
known as a DOS (Denial of Service) attack.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
