Skip to content

Ververica Cloud, a fully-managed cloud service for stream processing!

Learn more

Security Advisory - Log4Shell


by

What is Log4Shell?

A Remote Code Execution (RCE) vulnerability was discovered in the popular Java logging library, Log4j. It is tracked via CVE-2021-44228 and is known as Log4Shell. This is a serious vulnerability that affects many software products and online services.

How are Apache Flink and Ververica Platform affected by the Log4Shell vulnerability?

Apache Flink 1.11+ is affected by both vulnerabilities. Apache Flink 1.10 and earlier versions are not affected by this vulnerability.

All Ververica Platform components besides Apache Flink are unaffected as they are using Logback instead of Log4j. In the context of Log4Shell, a related - less severe - vulnerability has also been identified in Logback. This vulnerability requires writing access to the Logback configuration file, which should not be the case in typical Ververica Platform deployments.

What actions should I take?

Following the emergency releases of Apache Flink which upgraded Log4j to 2.16.0, we have just released new versions of our distribution of Apache Flink for Flink 1.10 to Flink 1.14:

  • Flink 1.10.3-[stream|spring]2
    •  
  • Flink 1.11.6-[stream|spring]1
  • Flink 1.12.7-[stream|spring]1
  • Flink 1.13.5-[stream|spring]1
  • Flink 1.14.2-[stream|spring]1

In contrast to Apache Flink 1.10, Ververica’s distribution of Apache Flink 1.10 is affected by Log4Shell because it is already using Log4j2 whereas upstream Apache Flink 1.10 is still using Log4j1.

In addition, we have released Ververica Platform 2.5.3 and Ververica Platform 2.6.1 which reference the updated Flink images in their configuration and — just in case — include an upgraded version of Logback.

We recommend trong>any users of Ververica Platform 2.5 and Ververica Platform 2.6 to upgrade as soon as possible.

We also recommend any user of Ververica Platform to upgrade all of their Deployments to use the newly released versions of Apache Flink regardless of which version of Ververica Platform they are using. Please check this documentation on how to add new Flink images to the Ververica Platform configuration. Please check the release notes of Ververica Platform 2.5.3 and Ververica Platform 2.6.1 as well as the respective documentation for a complete list of available images.

How is Ververica affected by Log4Shell beyond Ververica Platform?

We’ve identified all internal, internet-facing services that were using Log4j2 and implemented upgrades, and recommended mitigation measures.

We are working with our sub-processors to ensure they remediate any vulnerabilities in their environments. These sub-processors are primarily related to customer incident response (Zendesk, Pagerduty).

In case of questions please get in touch or reach out to your account manager.

Don’t have an existing Ververica Platform environment? You can still follow along by downloading our free community edition of Ververica Platform HERE.

Ververica Academy

Konstantin Knauf
Article by:

Konstantin Knauf

Find me on:

Comments

Our Latest Blogs

Q&A with Erik de Nooij: Insights into Apache Flink and the Future of Streaming Data featured image
by Kaye Lincoln 09 April 2024

Q&A with Erik de Nooij: Insights into Apache Flink and the Future of Streaming Data

Ververica is proud to host the Flink Forward conferences, uniting Apache Flink® and streaming data communities. Each year we nominate a Program Chair to select a broad range of Program Committee...
Read More
Ververica donates Flink CDC - Empowering Real-Time Data Integration for the Community featured image
by Ververica 03 April 2024

Ververica donates Flink CDC - Empowering Real-Time Data Integration for the Community

Ververica has officially donated Flink Change Data Capture (CDC) to the Apache Software Foundation. In this blog, we’ll explore the significance of this milestone, and how it positions Flink CDC as a...
Read More
Announcing the Release of Apache Flink 1.19 featured image
by Lincoln Lee 18 March 2024

Announcing the Release of Apache Flink 1.19

The Apache Flink PMC is pleased to announce the release of Apache Flink 1.19.0. As usual, we are looking at a packed release with a wide variety of improvements and new features. Overall, 162 people...
Read More