Hi all,
Just to keep it public and everyone informed. There is a vulnerability in LOG4J at the moment, that gives root access to machines through LOG4J. As far as i can tell we should not be affected since we do not provide the combination of surfaces that is required for the vulnerability to work (web access to logging if i am not mistaken), and it is also not clear if it also effects our version 1.2.7 (also used in spark), since the vulnerability is reported for versions 2.x >. Spark is in a similar situation as us [1], and rely on Hadoop that use the 1.2.7 as well. So currently my suggestion is to wait for Hadoop to update, then spark, then us. [1] https://issues.apache.org/jira/browse/SPARK-37630 The version to update to is 2.15 Best regards Sebastian
