From 624624dc9e68c366e5d144f995f6b819b9a2cd41 Mon Sep 17 00:00:00 2001
From: justmurphy <96064251+justmurphy@users.noreply.github.com>
Date: Wed, 22 Dec 2021 09:25:19 -0500
Subject: [PATCH] Update Apache Flink, issue #327

---
 SOFTWARE-LIST.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SOFTWARE-LIST.md b/SOFTWARE-LIST.md
index d0a6da2..0bb853e 100644
--- a/SOFTWARE-LIST.md
+++ b/SOFTWARE-LIST.md
@@ -67,7 +67,7 @@ This list was initially populated using information from the following sources:
 | Apache | Camel JBang | <=3.1.4 | Affected | No | [APACHE CAMEL AND CVE-2021-44228 (LOG4J)](https://camel.apache.org/blog/2021/12/log4j2/) | | | 12/13/2021 |
 | Apache | Camel 2 | | Not Affected | None | [APACHE CAMEL AND CVE-2021-44228 (LOG4J)](https://camel.apache.org/blog/2021/12/log4j2/) | | | 12/13/2021 |
 | Apache | Druid | < druid 0.22.0 | Affected | Yes | [Release druid-0.22.1 · apache/druid · GitHub](https://github.com/apache/druid/releases/tag/druid-0.22.1) | | | 12/12/2021 |
-| Apache | Flink | < flink 1.15.0, 1.14.1, 1.13.3 | Affected | No | [Apache Flink: Advise on Apache Log4j Zero Day (CVE-2021-44228)](https://flink.apache.org/2021/12/10/log4j-cve.html) | | | 12/12/2021 |
+| Apache | Flink | < 1.14.2, 1.13.5, 1.12.7, 1.11.6  | Fixed | Yes | [Apache Flink: Advise on Apache Log4j Zero Day (CVE-2021-44228)](https://flink.apache.org/2021/12/10/log4j-cve.html) | To clarify and avoid confusion: The 1.14.1 / 1.13.4 / 1.12.6 / 1.11.5 releases, which were supposed to only contain a Log4j upgrade to 2.15.0, were skipped because CVE-2021-45046 was discovered during the release publication. The new 1.14.2 / 1.13.5 / 1.12.7 / 1.11.6 releases include a version upgrade for Log4j to version 2.16.0 to address CVE-2021-44228 and CVE-2021-45046. | [https://flink.apache.org/news/2021/12/16/log4j-patch-releases.html](https://flink.apache.org/news/2021/12/16/log4j-patch-releases.html) | 12/12/2021 |
 | Apache | Kafka | All | Not Affected | No | [Kafka Apache List](https://kafka.apache.org/cve-list) | The current DB lists Apache Kafka as impacted. Apache Kafka uses Log4jv1, not v2. | | 12/14/2021 |
 | Apache | Kafka | Unknown | Affected | No | [Log4j – Apache Log4j Security Vulnerabilities](https://logging.apache.org/log4j/2.x/security.html)| Only vulnerable in certain configuration(s) | | |
 | Apache | Log4j | < 2.15.0 | Affected | Yes | [Log4j – Apache Log4j Security Vulnerabilities](https://logging.apache.org/log4j/2.x/security.html) | | | |