[
https://issues.apache.org/jira/browse/LIVY-878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17652630#comment-17652630
]
Sumit Kumar commented on LIVY-878:
----------------------------------
In internal projects, we have replaced log4j1.x references with reload4j in pom
files however we ended up doing a lot of exclusions because log4j1.x was still
coming as a transient dependency (it wasn't pretty to say the least). Most of
the Apache projects had not moved to log4j2 (ex: hadoop, zookeeper, kafka etc)
last i checked so this is going to be a pain to manage for some time to come.
Few additional datapoints to consider from other projects:
# zookeeper community decided to suppress the owasp checker because
SocketServer is not used.
# There were efforts on moving multiple open source projects to log4j2.x but
they have been going on for several months and in worst case multiple years.
Few listed below:
* [ZOOKEEPER-3677] owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2
deserialization of untrusted data in SocketServer
* [ZOOKEEPER-2342] Migrate to Log4J 2. - ASF JIRA (apache.org) – open since Jan
2016, closed recently without resolution.
* [KAFKA-9366] Upgrade log4j to log4j2 - ASF JIRA (apache.org) – open since Jan
2020
* [HADOOP-16206] Migrate from Log4j1 to Log4j2 - ASF JIRA (apache.org) – open
since Mar 2019
* [ZEPPELIN-3527] Upgrade log4j to log4j2 - ASF JIRA (apache.org) – open since
Jun 2018
One hacky approach could be to replace log4j1.x jars with reload4j jars in the
final generated build artifact and wait until dependencies move to log4j2 as
well, thoughts?
> Log4j upgrade for Livy 0.7.0 version
> -------------------------------------
>
> Key: LIVY-878
> URL: https://issues.apache.org/jira/browse/LIVY-878
> Project: Livy
> Issue Type: Sub-task
> Reporter: Tinu Jose
> Assignee: Damon Cortesi
> Priority: Major
> Fix For: 0.8.0
>
>
> We are looking for an advise from you in context of the below mentioned issue:
>
> *A high severity vulnerability (CVE-2021-44228) impacting multiple versions
> of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub
> on December 9, 2021.*
> *The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1.*
>
> Apache Livy version 0.7.0 version is being used by our team for processing
> the spark jobs . It uses the Log4j 1.x.x. which is not having any continued
> support.
> We would like to upgrade the Log4j versions to the latest stable version
> 2.15 without having any impact on the installations .
>
> Could you please recommend the possible ways to do the upgrade .Please note ,
> we are not looking to upgrade the Livy version to 0.7.1 to resolve this issue
> .
> Our requirement is to retain the current installed version and configurations
> with only changes in the Log4j versions
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
