Hi Puneet, Flink logs things like the job name which can be specified by the user. Hence, a user could (as far as I understand) add a job name containing malicious content. This is where the Flink cluster's log4j version comes into play. Therefore, it's not enough to provide only an updated log4j dependency with your job uber jar.
Best, Matthias On Wed, Dec 22, 2021 at 12:57 PM Puneet Duggal <puneetduggal1...@gmail.com> wrote: > Hi, > > Context: - I am using flink 1.12.1 version for real time event processing. > This flink uses log4j 2.12.1 version. But jar that i am uploading uses > 2.17.0. > > Now my assumption is that flink being generic in nature, does not log > event specific data , logging it is responsibility of user specific code > which is uploaded via jar. > > Since log4j vulnerability is caused by attacker sending malicious string > which performs lookup to attacker server… Hence getting attacked by this > string can only be possible (in my case) if malicious string is set as > value to a key which is then logged by my code. But my uber jar uses log4j > 2.17.0 version. > > So my doubt is whether there is any situation that i am missing because of > which i should upgrade log4j version of cluster as well or just upgrading > log4j version of my jar should suffice. > > Thanks, > Puneet Duggal >
