[ https://issues.apache.org/jira/browse/LIVY-878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17709813#comment-17709813 ]
Larry McCay commented on LIVY-878: ---------------------------------- Sorry for the delay in responding here. [~dacort] - I think that if these PRs are ready to go as is that we should get them in. There seems to be an outstanding comment on 392 about test dependencies - we can follow up for those separately. Thoughts? > Log4j upgrade for Livy 0.8.0 version > ------------------------------------- > > Key: LIVY-878 > URL: https://issues.apache.org/jira/browse/LIVY-878 > Project: Livy > Issue Type: Sub-task > Reporter: Tinu Jose > Assignee: Damon Cortesi > Priority: Major > Fix For: 0.8.0 > > Time Spent: 10m > Remaining Estimate: 0h > > We are looking for an advise from you in context of the below mentioned issue: > > *A high severity vulnerability (CVE-2021-44228) impacting multiple versions > of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub > on December 9, 2021.* > *The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1.* > > Apache Livy version 0.7.0 version is being used by our team for processing > the spark jobs . It uses the Log4j 1.x.x. which is not having any continued > support. > We would like to upgrade the Log4j versions to the latest stable version > 2.15 without having any impact on the installations . > > Could you please recommend the possible ways to do the upgrade .Please note , > we are not looking to upgrade the Livy version to 0.7.1 to resolve this issue > . > Our requirement is to retain the current installed version and configurations > with only changes in the Log4j versions -- This message was sent by Atlassian Jira (v8.20.10#820010)