[
https://issues.apache.org/jira/browse/HADOOP-17831?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17391561#comment-17391561
]
Steve Loughran commented on HADOOP-17831:
-----------------------------------------
it's a duplicate
[~brisly] We are aware of this, But
# it is a traumatically incompatible upgrade which will break the logging
configuration of everything
# the vulnerability is from when log4j is deployed as a service to process
submitted logs. Hadoop *never* deploys log4j so is not vulnerable to it.
It is actually possible to strip out the relevant package and redistribute a
private version of lg4j without it. FWIW, this is what cloudera do.
Ultimately, we will do the move, even though it is an incompatible change.
Please join in the work on HADOOP-16206.
> Upgrade log4j to fix critical vulnerability
> -------------------------------------------
>
> Key: HADOOP-17831
> URL: https://issues.apache.org/jira/browse/HADOOP-17831
> Project: Hadoop Common
> Issue Type: Task
> Affects Versions: 3.3.1
> Reporter: Brisly Priya Joseph
> Priority: Major
>
> CVE-2019-17571 - log4j-1.2.17 - (Fix available in log4j-2.8.2)
> Please upgrade to log4j-2.8.2 to fix vulnerability
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
