[ https://issues.apache.org/jira/browse/FLINK-25240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458964#comment-17458964 ]
João Boto commented on FLINK-25240: ----------------------------------- new version of log4j is available (2.16.0) that fully disables all JNDI related functionality, and removes the lookups feature https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0 > Update log4j2 version to 2.15.0 > -------------------------------- > > Key: FLINK-25240 > URL: https://issues.apache.org/jira/browse/FLINK-25240 > Project: Flink > Issue Type: Improvement > Components: API / Core > Affects Versions: 1.13.0 > Reporter: Ada Wong > Assignee: Ada Wong > Priority: Blocker > Labels: pull-request-available > Fix For: 1.11.5, 1.12.6, 1.15.0, 1.14.1, 1.13.4 > > > 2.0 <= Apache log4j2 <= 2.14.1 have a RCE zero day. > [https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html] > https://www.lunasec.io/docs/blog/log4j-zero-day/ -- This message was sent by Atlassian Jira (v8.20.1#820001)