Hi Pinot Team,
Could you please confirm what is th...
# pinot-deva
Ankit Kumar
12/12/2021, 12:05 AMHi Pinot Team,
Could you please confirm what is the impact of log4j Vulnerability in Pinot.
I can see there are log4j 2.x dependencies also what is the plan to remediate it
k
Ken Krugler
12/12/2021, 4:33 PMAs per the previous msg from @User:
@User can you merge this please?https://github.com/apache/pinot/pull/7889
k
Kartik Khare
12/12/2021, 4:33 PMHi,
doing it now.
k
Ken Krugler
12/12/2021, 4:37 PMThough I haven’t heard of a target release that would contain this fix, but maybe I missed it. In any case, you can mitigate the issue by editing the log4j2 config file to set
log4j2.formatMsgNoLookupstrueKen Krugler
12/12/2021, 11:13 PM@User @User maybe a blog post about how to mitigate the above, ala https://flink.apache.org/2021/12/10/log4j-cve.html?
k
Kishore G
12/12/2021, 11:15 PM
@User will be the right person who talk about this.
r
Richard Startin
12/13/2021, 10:05 AMWe are releasing 0.9.1 which includes the commit above, @User is in charge of that.
Richard Startin
12/13/2021, 10:07 AMWhat users should do in the mean time is set
-Dlog4j2.formatMsgNoLookups=trueRichard Startin
12/13/2021, 10:09 AMYou may have read that this exploit is mitigated by running a recent JDK version, but that is misleading on two counts:
• The attacker can still make log4j2 connect to a remote address even if a downloaded class would not be loaded, which allows a DOS attack
• under some circumstances, which I won't detail in public, RCE can happen even on the latest JDK
Richard Startin
12/13/2021, 10:10 AMSo deploy the flag ASAP, do not rely on protection from the JVM
a
Abhijeet Kushe
12/13/2021, 5:26 PM@User @User is version 9.1 release expected to be released soon ?
x
Xiang Fu
12/13/2021, 5:54 PM
Yes
👍 1
a
Abhijeet Kushe
12/13/2021, 5:54 PMwhat is the ETA ?
x
Xiang Fu
12/13/2021, 5:56 PM
Release candidate is cut. Waiting for the vote
a
Abhijeet Kushe
12/13/2021, 5:57 PMthats awesome thanks