OESA-2022-1943

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1943

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2022-1943.json

JSON Data

https://api.test.osv.dev/v1/vulns/OESA-2022-1943

Upstream

CVE-2021-44228

Published

2022-09-23T11:04:19Z

Modified

2025-08-12T05:10:40.896637Z

Summary

flink security update

Details

Apache Flink is a framework and distributed processing engine for stateful computations over unbounded and bounded data streams. Flink has been designed to run in all common cluster environments, perform computations at in-memory speed and at any scale.

Security Fix(es):

Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.(CVE-2021-44228)

Database specific

{
    "severity": "Critical"
}

References

Affected packages

openEuler:20.03-LTS-SP1 / flink

Package

Name: flink
Purl: pkg:rpm/openEuler/flink&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.12.7-2.oe1

Ecosystem specific

{
    "src": [
        "flink-1.12.7-2.oe1.src.rpm"
    ],
    "x86_64": [
        "flink-1.12.7-2.oe1.x86_64.rpm"
    ],
    "aarch64": [
        "flink-1.12.7-2.oe1.aarch64.rpm"
    ]
}