[
https://issues.apache.org/jira/browse/FLINK-25394?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17463748#comment-17463748
]
Yun Gao commented on FLINK-25394:
---------------------------------
Merge on master via 27912247153e6f6d2c8ae82c2500de4960897f0f
> [Flink-ML] Upgrade log4j to 2.17.0 to address CVE-2021-45105
> ------------------------------------------------------------
>
> Key: FLINK-25394
> URL: https://issues.apache.org/jira/browse/FLINK-25394
> Project: Flink
> Issue Type: Improvement
> Affects Versions: ml-2.0.0
> Reporter: Abdelrahman
> Priority: Critical
> Labels: pull-request-available
> Fix For: ml-2.0.0
>
>
> Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from
> uncontrolled recursion from self-referential lookups. When the logging
> configuration uses a non-default Pattern Layout with a Context Lookup (for
> example, $${ctx:loginId}), attackers with control over Thread Context Map
> (MDC) input data can craft malicious input data that contains a recursive
> lookup, resulting in a StackOverflowError that will terminate the process.
> This is also known as a DOS (Denial of Service) attack.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
