[jira] [Commented] (LIVY-878) Log4j upgrade for Livy 0.7.0 version

Sat, 31 Dec 2022 14:20:43 -0800 


    [ 
https://issues.apache.org/jira/browse/LIVY-878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17653358#comment-17653358
 ] 

Sumit Kumar commented on LIVY-878:
----------------------------------

Regarding downstreams consuming livy, are you aware of projects consuming livy 
as library dependency? That would be harder. I was suspecting most of the 
consumers would be on-prem or cloud deployments and in those cases, they would 
have their own custom deployment logic and might already be handling the 
vulnerability in some way.

That said I agree with your sentiments about not shipping with these 
vulnerabilities. May be we can do this in 2 phases:
1. With reload4j as drop in dependency replacement for log4j1.x
2. With log4j2 replacing reload4j.

We can avoid effort for api bridge in that case because there are few 
compatibility issues and it's anyways going to be temporary. Some of the work 
(like exclusions) will be same for the bridge as well as reload4j and will also 
be helpful when moving to log4j2. What do you think?

Yes for k8s and mesos deployments, I was suggesting that this vulnerability 
mitigation effort will be useful.

>  Log4j upgrade for Livy 0.7.0 version
> -------------------------------------
>
>                 Key: LIVY-878
>                 URL: https://issues.apache.org/jira/browse/LIVY-878
>             Project: Livy
>          Issue Type: Sub-task
>            Reporter: Tinu Jose
>            Assignee: Damon Cortesi
>            Priority: Major
>             Fix For: 0.8.0
>
>
> We are looking for an advise from you in context of the below mentioned issue:
>  
> *A high severity vulnerability (CVE-2021-44228) impacting multiple versions 
> of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub 
> on December 9, 2021.* 
> *The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1.*
>  
> Apache Livy version 0.7.0 version is being used by our team for processing 
> the spark jobs . It uses the Log4j 1.x.x. which is not having any continued 
> support.
> We would like to upgrade the Log4j versions to the latest stable version  
> 2.15 without having any impact on the installations .
>  
> Could you please recommend the possible ways to do the upgrade .Please note , 
> we are not looking to upgrade the Livy version to 0.7.1 to resolve this issue 
> .
> Our requirement is to retain the current installed version and configurations 
> with only changes in the Log4j versions  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to