CVE-2021-42010: 
Java vulnerability analysis and mitigation

Apache Heron (Incubating) versions 0.20.4-incubating and earlier were found to be vulnerable to CRLF log injection due to insufficient escaping in log statements. The vulnerability is tracked as CVE-2021-42010 and was disclosed in October 2022. The issue affects the logging functionality in Apache Heron, an open-source distributed stream processing engine (OSS Security).

The vulnerability stems from a lack of proper escaping mechanisms in the log statements within Apache Heron. This allows for CRLF (Carriage Return Line Feed) injection in log files. The severity of this vulnerability has been assessed with a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue is classified under CWE-116 (Improper Encoding or Escaping of Output) (NVD).

The CRLF log injection vulnerability could potentially allow attackers to manipulate log files by injecting malicious content. This could lead to log tampering, which may affect system monitoring, auditing, and potentially mask other malicious activities (NVD).

The vulnerability has been fixed in Apache Heron version 0.20.5-incubating. Users are strongly advised to upgrade to this version or later to address the CRLF log injection vulnerability (OSS Security).