[jira] [Commented] (SPARK-38253) Migrate spark-sql Java library from log4j to slf4j

Fri, 18 Feb 2022 19:30:04 -0800 


    [ 
https://issues.apache.org/jira/browse/SPARK-38253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17494883#comment-17494883
 ] 

Hyukjin Kwon commented on SPARK-38253:
--------------------------------------

This is fixed in Spark 3.3 per SPARK-37814. Users should upgrade Spark version 
to 3.3

> Migrate spark-sql Java library from log4j to slf4j
> --------------------------------------------------
>
>                 Key: SPARK-38253
>                 URL: https://issues.apache.org/jira/browse/SPARK-38253
>             Project: Spark
>          Issue Type: Improvement
>          Components: Java API
>    Affects Versions: 3.2.1
>            Reporter: Dhaval Shewale
>            Priority: Critical
>
> As there are numerous vulnerabilities in log4j and the project is no longer 
> actively supported, Can we upgrade *spark-sql* Java library from log4j to 
> slf4j.
> This will also enable to easily integrate with log4j, logback and log4j2 
> without a breaking change.
>  
> +*Maven Dependency*+
> {quote}{{<dependency>}}
> {{  <groupId>org.apache.spark</groupId>}}
> {{  <artifactId>spark-sql_2.13</artifactId>}}
> {{  <version>3.2.1</version>}}
> {{</dependency>}}
> {quote}
>  
> +*Vulnerabilities*+
> {quote}{{---------------------------------------------------------------}}
> {{| SEVERITY  |  LIBRARY                      |  ID             |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH      |  log4j-1.2.17.jar             |  CVE-2019-17571 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH      |  log4j-1.2.17.jar             |  CVE-2020-9493  |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH      |  log4j-1.2.17.jar             |  CVE-2021-4104  |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH      |  log4j-1.2.17.jar             |  CVE-2022-23302 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH      |  log4j-1.2.17.jar             |  CVE-2022-23305 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| HIGH      |  log4j-1.2.17.jar             |  CVE-2022-23307 |}}
> {{|---------- | ----------------------------- | ----------------|}}
> {{| LOW       |  log4j-1.2.17.jar             |  CVE-2020-9488  |}}
> {{---------------------------------------------------------------}}
> {quote}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to