Check the CVE - the log4j vulnerability appears to affect log4j 2, not 1.x. There was mention that it could affect 1.x when used with JNDI or SMS handlers, but Spark does neither. (unless anyone can think of something I'm missing, but never heard or seen that come up at all in 7 years in Spark)
The big issue would be applications that themselves configure log4j 2.x, but that's not a Spark issue per se. On Sun, Dec 12, 2021 at 10:46 PM Pralabh Kumar <pralabhku...@gmail.com> wrote: > Hi developers, users > > Spark is built using log4j 1.2.17 . Is there a plan to upgrade based on > recent CVE detected ? > > > Regards > Pralabh kumar >
