[jira] [Commented] (LIVY-878) Log4j upgrade for Livy 0.7.0 version

Wed, 28 Dec 2022 15:30:08 -0800 


    [ 
https://issues.apache.org/jira/browse/LIVY-878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17652617#comment-17652617
 ] 

Damon Cortesi commented on LIVY-878:
------------------------------------

Additional thoughts on the approach for the current PR. I'd prefer not to do a 
wholesale upgrade to log4jv2 for the next release, so that leaves a couple 
options that I've been able to find. 

* [log4j 1.2 
bridge|https://logging.apache.org/log4j/2.x/log4j-1.2-api/index.html] - A 
temporary solution to use Log4j 2 with minor API differences
* [reload4j|https://reload4j.qos.ch/] - A third-party (but written by the 
author of log4j 1) dropin replacement for log4j version 1.2.17.

It appears reload4j was built for folks to quickly and easily replace log4j in 
their applications. While still maintained, I chose the bridge route for the PR 
as we have the time to implement it and can then do a larger v2 upgrade later.

>  Log4j upgrade for Livy 0.7.0 version
> -------------------------------------
>
>                 Key: LIVY-878
>                 URL: https://issues.apache.org/jira/browse/LIVY-878
>             Project: Livy
>          Issue Type: Sub-task
>            Reporter: Tinu Jose
>            Assignee: Damon Cortesi
>            Priority: Major
>             Fix For: 0.8.0
>
>
> We are looking for an advise from you in context of the below mentioned issue:
>  
> *A high severity vulnerability (CVE-2021-44228) impacting multiple versions 
> of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub 
> on December 9, 2021.* 
> *The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1.*
>  
> Apache Livy version 0.7.0 version is being used by our team for processing 
> the spark jobs . It uses the Log4j 1.x.x. which is not having any continued 
> support.
> We would like to upgrade the Log4j versions to the latest stable version  
> 2.15 without having any impact on the installations .
>  
> Could you please recommend the possible ways to do the upgrade .Please note , 
> we are not looking to upgrade the Livy version to 0.7.1 to resolve this issue 
> .
> Our requirement is to retain the current installed version and configurations 
> with only changes in the Log4j versions  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to