This has been discussed extensively on this list. See the archives. TL;DR is current releases do not appear to be vulnerable. But 3.3.0 will move to log4j 2 anyway
On Sat, Jan 29, 2022, 9:42 PM KS, Rajabhupati <rajabhupati...@comcast.com.invalid> wrote: > Hi Team, > > We were checking for log4j upgrade in Open source spark version to avoid > the recent vulnerability in the spark binary . Do we have any new release > which is planned to upgrade the log4j from 1.2.17 to 2.17.1.Any sooner > response is appreciated ? > > > Regards > Rajabhupati >