Hi Pinot Team, Could you please confirm what is th...
# pinot-dev
a
Hi Pinot Team, Could you please confirm what is the impact of log4j Vulnerability in Pinot. I can see there are log4j 2.x dependencies also what is the plan to remediate it
k
As per the previous msg from @User:
@User can you merge this please?https://github.com/apache/pinot/pull/7889
k
Hi, doing it now.
k
Though I haven’t heard of a target release that would contain this fix, but maybe I missed it. In any case, you can mitigate the issue by editing the log4j2 config file to set
log4j2.formatMsgNoLookups
to
true
(or via setting the same via system property).
@User @User maybe a blog post about how to mitigate the above, ala https://flink.apache.org/2021/12/10/log4j-cve.html?
k
@User will be the right person who talk about this.
r
We are releasing 0.9.1 which includes the commit above, @User is in charge of that.
What users should do in the mean time is set
-Dlog4j2.formatMsgNoLookups=true
You may have read that this exploit is mitigated by running a recent JDK version, but that is misleading on two counts: • The attacker can still make log4j2 connect to a remote address even if a downloaded class would not be loaded, which allows a DOS attack • under some circumstances, which I won't detail in public, RCE can happen even on the latest JDK
So deploy the flag ASAP, do not rely on protection from the JVM
a
@User @User is version 9.1 release expected to be released soon ?
x
Yes
👍 1
a
what is the ETA ?
x
Release candidate is cut. Waiting for the vote
a
thats awesome thanks