[
https://issues.apache.org/jira/browse/SPARK-37630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17460832#comment-17460832
]
Ismail H edited comment on SPARK-37630 at 12/16/21, 4:06 PM:
-------------------------------------------------------------
to [~divekarsc] , extract from
https://access.redhat.com/security/cve/CVE-2021-4104 :
bq. Note this flaw ONLY affects applications which are specifically configured
to use JMSAppender, which is not the default, or when the attacker has write
access to the Log4j configuration for adding JMSAppender to the attacker's JMS
Broker.
so the question is, is Spark using JMSAppender ?
was (Author: JIRAUSER281735):
to [~divekarsc] , extract from
https://access.redhat.com/security/cve/CVE-2021-4104 :
bq. Note this flaw ONLY affects applications which are specifically configured
to use JMSAppender, which is not the default, or when the attacker has write
access to the Log4j configuration for adding JMSAppender to the attacker's JMS
Broker. bq.
so the question is, is Spark using JMSAppender ?
> Security issue from Log4j 1.X exploit
> -------------------------------------
>
> Key: SPARK-37630
> URL: https://issues.apache.org/jira/browse/SPARK-37630
> Project: Spark
> Issue Type: Bug
> Components: Spark Core
> Affects Versions: 2.4.8, 3.2.0
> Reporter: Ismail H
> Priority: Major
> Labels: security
>
> log4j is being used in version [1.2.17|#L122]]
>
> This version has been deprecated and since [then have a known issue that
> hasn't been adressed in 1.X
> versions|https://www.cvedetails.com/cve/CVE-2019-17571/].
>
> *Solution:*
> * Upgrade log4j to version 2.15.0 which correct all known issues. [Last
> known issues |https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228]
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
