Log4j upgrade to 2.x in hadoop for vulnerability fix

[Pulkit Chawla]

Hi,

Hadoop uses log4j1 even in latest versions. I am concerned about the log4j1 
vulnerabilities related to network listening.

Wanted to know the risk for keep using log4j1 in Hadoop.
Does it uses those log4j network classes? If no, can we completely remove it? 
If yes, how can we lessen the risk? Does creating a secure Kerberos network 
prevents those vulnerabilities ?

Can anyone guide me?



Thanks,
Pulkit

Re: Log4j upgrade to 2.x in hadoop for vulnerability fix

[Akira Ajisaka]

Hi Pulkit,

Hadoop does not use those log4j network classes unless the user and the
administrator configured the setting explicitly.
The issue is tracked by [HADOOP-16206] Migrate from Log4j1 to Log4j2 - ASF
JIRA (apache.org) 

Thanks,
Akira

On Tue, Sep 14, 2021 at 10:33 PM Pulkit Chawla 
wrote:

> Hi,
>
>
>
> Hadoop uses log4j1 even in latest versions. I am concerned about the
> log4j1 vulnerabilities related to network listening.
>
>
>
> Wanted to know the risk for keep using log4j1 in Hadoop.
>
> Does it uses those log4j network classes? If no, can we completely remove
> it? If yes, how can we lessen the risk? Does creating a secure Kerberos
> network prevents those vulnerabilities ?
>
>
>
> Can anyone guide me?
>
>
>
>
>
>
>
> Thanks,
>
> Pulkit
>