FWIW here is the Databricks statement on it. Not the same as Spark but
includes Spark of course.
https://databricks.com/blog/2021/12/13/log4j2-vulnerability-cve-2021-44228-research-and-assessment.html
Yes the question is almost surely more whether user apps are affected, not
Spark itself.
On
log4j 1.2.17 is not vulnerable. There is an existing CVE there from a log
aggregation servlet; Cloudera products ship a patched release with that
servlet stripped...asf projects are not allowed to do that.
But: some recent Cloudera Products do include log4j 2.x, so colleagues of
mine are busy
My understanding is that we don’t need to do anything. Log4j2-core not used in
spark.
> 2021年12月13日 下午12:45,Pralabh Kumar 写道:
>
> Hi developers, users
>
> Spark is built using log4j 1.2.17 . Is there a plan to upgrade based on
> recent CVE detected ?
>
>
> Regards
> Pralabh kumar
* Monday, December 13, 2021 8:25 AM
> *To:* Jörn Franke
> *Cc:* Pralabh Kumar ; dev ;
> user.spark
> *Subject:* Re: Log4j 1.2.17 spark CVE
>
> This has come up several times over years - search JIRA. The very short
> summary is: Spark does not use log4j 1.x, but its dependenci
: Pralabh Kumar ; dev ;
user.spark
Subject: Re: Log4j 1.2.17 spark CVE
This has come up several times over years - search JIRA. The very short summary
is: Spark does not use log4j 1.x, but its dependencies do, and that's the issue.
Anyone that can successfully complete the surgery at this point
This has come up several times over years - search JIRA. The very short
summary is: Spark does not use log4j 1.x, but its dependencies do, and
that's the issue.
Anyone that can successfully complete the surgery at this point is welcome
to, but I failed ~2 years ago.
On Mon, Dec 13, 2021 at 10:02
There is a discussion on Github on this topic and the recommendation is
to upgrade from 1.x to 2.15.0, due to the vulnerability of 1.x:
https://github.com/apache/logging-log4j2/pull/608
This discussion is also referenced by the German Federal Office for
Information Security:
Is it in any case appropriate to use log4j 1.x which is not maintained anymore
and has other security vulnerabilities which won’t be fixed anymore ?
> Am 13.12.2021 um 06:06 schrieb Sean Owen :
>
>
> Check the CVE - the log4j vulnerability appears to affect log4j 2, not 1.x.
> There was
My understanding is it only applies to log4j 2+ so we don’t need to do
anything.
On Sun, Dec 12, 2021 at 8:46 PM Pralabh Kumar
wrote:
> Hi developers, users
>
> Spark is built using log4j 1.2.17 . Is there a plan to upgrade based on
> recent CVE detected ?
>
>
> Regards
> Pralabh kumar
>
--
Check the CVE - the log4j vulnerability appears to affect log4j 2, not 1.x.
There was mention that it could affect 1.x when used with JNDI or SMS
handlers, but Spark does neither. (unless anyone can think of something I'm
missing, but never heard or seen that come up at all in 7 years in Spark)
Hi developers, users
Spark is built using log4j 1.2.17 . Is there a plan to upgrade based on
recent CVE detected ?
Regards
Pralabh kumar
11 matches
Mail list logo
