https://pinot.apache.org/ logo
#pinot-dev
Title
# pinot-dev
a

Ankit Kumar

12/12/2021, 12:05 AM
Hi Pinot Team, Could you please confirm what is the impact of log4j Vulnerability in Pinot. I can see there are log4j 2.x dependencies also what is the plan to remediate it
k

Ken Krugler

12/12/2021, 4:33 PM
As per the previous msg from @User:
@User can you merge this please?https://github.com/apache/pinot/pull/7889
k

Kartik Khare

12/12/2021, 4:33 PM
Hi, doing it now.
k

Ken Krugler

12/12/2021, 4:37 PM
Though I haven’t heard of a target release that would contain this fix, but maybe I missed it. In any case, you can mitigate the issue by editing the log4j2 config file to set
log4j2.formatMsgNoLookups
to
true
(or via setting the same via system property).
@User @User maybe a blog post about how to mitigate the above, ala https://flink.apache.org/2021/12/10/log4j-cve.html?
k

Kishore G

12/12/2021, 11:15 PM
@User will be the right person who talk about this.
r

Richard Startin

12/13/2021, 10:05 AM
We are releasing 0.9.1 which includes the commit above, @User is in charge of that.
What users should do in the mean time is set
-Dlog4j2.formatMsgNoLookups=true
You may have read that this exploit is mitigated by running a recent JDK version, but that is misleading on two counts: • The attacker can still make log4j2 connect to a remote address even if a downloaded class would not be loaded, which allows a DOS attack • under some circumstances, which I won't detail in public, RCE can happen even on the latest JDK
So deploy the flag ASAP, do not rely on protection from the JVM
a

Abhijeet Kushe

12/13/2021, 5:26 PM
@User @User is version 9.1 release expected to be released soon ?
x

Xiang Fu

12/13/2021, 5:54 PM
Yes
👍 1
a

Abhijeet Kushe

12/13/2021, 5:54 PM
what is the ETA ?
x

Xiang Fu

12/13/2021, 5:56 PM
Release candidate is cut. Waiting for the vote
a

Abhijeet Kushe

12/13/2021, 5:57 PM
thats awesome thanks