[jira] [Commented] (LIVY-878) Log4j upgrade for Livy 0.7.0 version

Wed, 28 Dec 2022 14:37:07 -0800 


    [ 
https://issues.apache.org/jira/browse/LIVY-878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17652608#comment-17652608
 ] 

Damon Cortesi commented on LIVY-878:
------------------------------------

[~lmccay] Probably moderate level of effort. It's mostly just making the fixes, 
re-running dependency check, seeing if there are other compile-time inclusions 
of log4j. The time consuming part is figuring out how log4j is getting pulled 
in for some of the modules and if it's actually necessary or the can be 
excluded. I'm not familiar enough with the the project yet to make those calls 
quickly. :)

I still have the following modules to figure out based on a dependency check 
run on [this pr|https://github.com/apache/incubator-livy/pull/381]. 

*  livy-integration-test:compile
*  livy-coverage-report:compile
*  livy-assembly:compile
*  livy-server:compile

>  Log4j upgrade for Livy 0.7.0 version
> -------------------------------------
>
>                 Key: LIVY-878
>                 URL: https://issues.apache.org/jira/browse/LIVY-878
>             Project: Livy
>          Issue Type: Sub-task
>            Reporter: Tinu Jose
>            Assignee: Damon Cortesi
>            Priority: Major
>             Fix For: 0.8.0
>
>
> We are looking for an advise from you in context of the below mentioned issue:
>  
> *A high severity vulnerability (CVE-2021-44228) impacting multiple versions 
> of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub 
> on December 9, 2021.* 
> *The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1.*
>  
> Apache Livy version 0.7.0 version is being used by our team for processing 
> the spark jobs . It uses the Log4j 1.x.x. which is not having any continued 
> support.
> We would like to upgrade the Log4j versions to the latest stable version  
> 2.15 without having any impact on the installations .
>  
> Could you please recommend the possible ways to do the upgrade .Please note , 
> we are not looking to upgrade the Livy version to 0.7.1 to resolve this issue 
> .
> Our requirement is to retain the current installed version and configurations 
> with only changes in the Log4j versions  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to