Hey guys. Regarding <https://nvd.nist.gov/vuln/det...
# generall
Lars-Kristian Svenøy
12/10/2021, 5:02 PMHey guys. Regarding https://nvd.nist.gov/vuln/detail/CVE-2021-44228 (The Log4j vulnerability) when can we expect a release of Pinot to mitigate that? I see you just recently merged a PR to deal with it: https://github.com/apache/pinot/pull/7889
m
Mayank
12/10/2021, 5:56 PM
Hey @User what version of jvm are you using and is your Pinot accessible from internet?
Mayank
12/10/2021, 5:56 PM
Copy code
JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector. In these versions com.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load a remote codebase using LDAP.Mayank
12/10/2021, 5:59 PM
In the interim, you can
formatMsgNoLookups=truel
Lars-Kristian Svenøy
12/10/2021, 6:04 PMI am using the jdk11 image of pinot, is it built with > 11.0.1?
p
Prashant Pandey
12/11/2021, 10:54 AM@User Is there an emergency release planned for this?
x
Xiang Fu
12/12/2021, 12:57 AM
@User yes, it’s build with
Copy code
openjdk version "11.0.13" 2021-10-19
OpenJDK Runtime Environment 18.9 (build 11.0.13+8)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.13+8, mixed mode, sharing)m
Mayank
12/12/2021, 4:17 PM
We have also update the docker image from master with the fix and cutting a patch for 0.9.1
b
Barna Lipics
12/13/2021, 4:10 PM@User do you have an estimation when do you plan to make 0.9.1 available at Dockerhub?
m
Mayank
12/13/2021, 10:02 PM
Should be today @User cc: @User
🎉 2
x
Xiang Fu
12/13/2021, 10:02 PM
it’s there as well