[
https://issues.apache.org/jira/browse/LIVY-878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17699043#comment-17699043
]
Gyorgy Gal commented on LIVY-878:
---------------------------------
I agree with [~ksumit] that in order to unblock the 0.8 release it may be
better to go with reload4j for now and tackle the transition to Log4J2 in an
upcoming release (when support for Spark 3.3 and above is added). My biggest
concern would be compatibility with existing log4j properties files.
In our downstream Livy fork we use Spark 2 with reload4j and Spark 3.3 with
log4j-1.2-api. Both are workable, but we had to replace the configuration files
and fix some of the unit tests in the latter case.
The current upstream version of Livy only supports Spark 3.1 and below
([LivySparkUtils.scala|https://github.com/apache/incubator-livy/blob/45e07fec68f2b9ad1dc7ebce8db08ad8a778dddc/server/src/main/scala/org/apache/livy/utils/LivySparkUtils.scala#L44-L45]),
so it seems like a safer option to stick with reload4j and the old log4j
config file format.
Adding Spark 3.3+ support seems like a larger task and it may require us to
move to Log4J2 anyway to prevent classpath and configuration conflicts. Please
let me know your thoughts on this.
> Log4j upgrade for Livy 0.7.0 version
> -------------------------------------
>
> Key: LIVY-878
> URL: https://issues.apache.org/jira/browse/LIVY-878
> Project: Livy
> Issue Type: Sub-task
> Reporter: Tinu Jose
> Assignee: Damon Cortesi
> Priority: Major
> Fix For: 0.8.0
>
>
> We are looking for an advise from you in context of the below mentioned issue:
>
> *A high severity vulnerability (CVE-2021-44228) impacting multiple versions
> of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub
> on December 9, 2021.*
> *The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1.*
>
> Apache Livy version 0.7.0 version is being used by our team for processing
> the spark jobs . It uses the Log4j 1.x.x. which is not having any continued
> support.
> We would like to upgrade the Log4j versions to the latest stable version
> 2.15 without having any impact on the installations .
>
> Could you please recommend the possible ways to do the upgrade .Please note ,
> we are not looking to upgrade the Livy version to 0.7.1 to resolve this issue
> .
> Our requirement is to retain the current installed version and configurations
> with only changes in the Log4j versions
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
