[
https://issues.apache.org/jira/browse/LIVY-878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17652890#comment-17652890
]
Sumit Kumar edited comment on LIVY-878 at 12/29/22 4:07 PM:
------------------------------------------------------------
I was also hinting that we could ignore this work until dependencies like
zookeeper and hadoop move to log4j2 but just noticed that Spark has moved on in
their recent 3.3.0 release (please see SPARK-37814). With this new datapoint, I
am now thinking that eliminating log4j1.x dependency is more appropriate and
will be helpful for production environments that use Spark on kubernetes or
mesos. For those depending on hadoop and zookeeper, they will have to do
additional work that they are already doing for those components.
Please see similar discussions and challenges the community faced for Spark in
[https://github.com/apache/spark/pull/34877#issuecomment-994155205] and
[https://github.com/apache/spark/pull/34895]
was (Author: ksumit):
I was also hinting that we could ignore this work until dependencies like
zookeeper and hadoop move to log4j2 but just noticed that Spark has moved on in
their recent 3.3.0 release (please see SPARK-37814). With this new datapoint, I
am now thinking that eliminating log4j1.x dependency is more appropriate and
will be helpful for production environments that use Spark on kubernetes or
mesos. For those depending on hadoop and zookeeper, they will have to do
additional work that they are already doing for those components.
[~dacort] please see similar discussions in
[https://github.com/apache/spark/pull/34877#issuecomment-994155205] and
https://github.com/apache/spark/pull/34895
> Log4j upgrade for Livy 0.7.0 version
> -------------------------------------
>
> Key: LIVY-878
> URL: https://issues.apache.org/jira/browse/LIVY-878
> Project: Livy
> Issue Type: Sub-task
> Reporter: Tinu Jose
> Assignee: Damon Cortesi
> Priority: Major
> Fix For: 0.8.0
>
>
> We are looking for an advise from you in context of the below mentioned issue:
>
> *A high severity vulnerability (CVE-2021-44228) impacting multiple versions
> of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub
> on December 9, 2021.*
> *The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1.*
>
> Apache Livy version 0.7.0 version is being used by our team for processing
> the spark jobs . It uses the Log4j 1.x.x. which is not having any continued
> support.
> We would like to upgrade the Log4j versions to the latest stable version
> 2.15 without having any impact on the installations .
>
> Could you please recommend the possible ways to do the upgrade .Please note ,
> we are not looking to upgrade the Livy version to 0.7.1 to resolve this issue
> .
> Our requirement is to retain the current installed version and configurations
> with only changes in the Log4j versions
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
