[
https://issues.apache.org/jira/browse/SPARK-37630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459567#comment-17459567
]
Sean R. Owen commented on SPARK-37630:
--------------------------------------
Spark depends on a whole lot of other libraries, and they use log4j 1.x, like
Hadoop. That's most of the issue. Spark doesn't really care about the logging
framework, though it touches log4j -- mostly to configure logs from other
libraries.
Anyone can try to fix it, but, it's harder than it sounds. You'd have to figure
out how to plumb log4j 1.x calls to something else and exclude all log4j 1.x
dependencies. This is a duplicate of other JIRAs
> Security issue from Log4j 1.X exploit
> -------------------------------------
>
> Key: SPARK-37630
> URL: https://issues.apache.org/jira/browse/SPARK-37630
> Project: Spark
> Issue Type: Bug
> Components: Spark Core
> Affects Versions: 2.4.8, 3.2.0
> Reporter: Ismail H
> Priority: Major
> Labels: security
>
> log4j is being used in version [1.2.17|#L122]]
>
> This version has been deprecated and since [then have a known issue that
> hasn't been adressed in 1.X
> versions|https://www.cvedetails.com/cve/CVE-2019-17571/].
>
> *Solution:*
> * Upgrade log4j to version 2.15.0 which correct all known issues. [Last
> known issues |https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228]
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
