There was a discussion on this issue couple of weeks ago. Basically if
you look at the CVE definition of Log4j, the vulnerability only affects
certain versions of log4j 2.x, not 1.x. Since Spark doesn't use any of
the affected log4j versions, this shouldn't be a concern..
https://lists.apache.org/list?user@spark.apache.org:lte=1M:Log4j
On 1/12/22 9:50 AM, Juan Liu wrote:
Dear Spark support,
Due to the known log4j security issue, we are required to upgrade
log4j version to 2.17.1. Currently, we use Spark3.1.2 with default
log4j 1.2.17. Also we found log4j configuration document here:
https://spark.apache.org/docs/3.2.0/configuration.html#configuring-logging
<https://spark.apache.org/docs/3.2.0/configuration.html#configuring-logging>
Our questions:
* Does Spark 3.1.2 support log4j v2.17.1? how to upgrade log4j from
1.* to 2.17.1 in Spark? would you pls help to provide guidance?
* If Spark 3.1.2 doesn't support log4j v2.17.1, then how about Spark
3.2? pls also help to provide guidance, thanks!
* We found Spark 3.3 will support log4j migrate from 1 to 2 in this
ticket: https://issues.apache.org/jira/browse/SPARK-37814
<https://issues.apache.org/jira/browse/SPARK-37814>, also I
noticed all sub-tasks are done except one. it's awesome! would
you pls help to advise your target release day? if it's in very
near future, like Jan, maybe we can wait for 3.3.
BTW, as log4j issue is very popular security issue, it's better if
Spark team could post the solution directly in security page
(https://spark.apache.org/security.html
<https://spark.apache.org/security.html>) to benefit end user.
Anyway, thank you so much for providing such a powerful tool for us,
and thanks for your patience to read and reply this mail. Have a good day!
*Juan Liu (刘娟) **PMP**®*
Release Management, Watson Health, China Development Lab
Email: liuj...@cn.ibm.com
Phone: 86-10-82452506