RE: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?

ilto:sro...@gmail.com>> Cc:"Juan Liu" mailto:liuj...@cn.ibm.com>>, "user@spark.apache.org<mailto:user@spark.apache.org>" mailto:user@spark.apache.org>> Date:2022/01/20 03:05 PM Subject:[EXTERNAL] RE: Does Spark 3.1.2/3.2 support

RE: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?

Juan Liu ; user@spark.apache.org Subject: RE: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3? Sie erhalten nicht oft E-Mail von "t...@ibm.com<mailto:t...@ibm.com>". Weitere Informationen, warum dies wichtig ist<http://aka.ms/LearnAboutSenderIdentif

RE: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?

e J Griesenbrock" , "User" Subject: [EXTERNAL] Re: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?Date: Thu, Jan 13, 2022 08:05  Yes, Spark does not use the SocketServer mentioned in CVE-2019-17571, however, so is not affected. 3.3.0 would prob

Re: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?

This very user@ list -- announcements will go to all the lists. On Wed, Jan 19, 2022 at 11:50 AM Theodore J Griesenbrock wrote: > Again, sorry to bother you. > > What is the best option available to ensure we get notified when a new > version is released for Apache Spark? I do not see any RSS

Re: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?

Yes, Spark does not use the SocketServer mentioned in CVE-2019-17571, however, so is not affected. 3.3.0 would probably be out in a couple months. On Thu, Jan 13, 2022 at 3:14 AM Juan Liu wrote: > We are informed that CVE-2021-4104 is not only problem with Log4J 1.x. > There is one more

RE: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?

he.org Subject: Re: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3? Again: the CVE has no known effect on released Spark versions. Spark 3.3 will have log4j 2.x anyway. On Wed, Jan 12, 2022 at 10:21 AM Crowe, John mailto:john.cr...@tditechnologies.com>&

Re: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?

Again: the CVE has no known effect on released Spark versions. Spark 3.3 will have log4j 2.x anyway. On Wed, Jan 12, 2022 at 10:21 AM Crowe, John wrote: > I too would like to know when you anticipate Spark 3.3.0 to be released > due to the Log4j CVE’s. > > Our customers are all quite concerned.

Re: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?

As noted, there is no known effect on Spark, as released versions do not use an affected log4j version and configuration, thus no documentation about remediation. It is in any event a good idea to update to 2.x; please see JIRA for the log4j 2.x update, which will come in Spark 3.3.0 as this is

RE: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?

I too would like to know when you anticipate Spark 3.3.0 to be released due to the Log4j CVE’s. Our customers are all quite concerned. Regards; John Crowe TDi Technologies, Inc. 1600 10th Street Suite B Plano, TX 75074 (800) 695-1258

Re: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?

There was a discussion on this issue couple of weeks ago.  Basically if you look at the CVE definition of Log4j, the vulnerability only affects certain versions of log4j 2.x, not 1.x.  Since Spark doesn't use any of the affected log4j versions, this shouldn't be a concern..