daguito81 commented on pull request #34877: URL: https://github.com/apache/spark/pull/34877#issuecomment-993267778
Attaching some previous discussion regarding migrating from Log4j 1.x to 2.x We have this issue from 2015 https://issues.apache.org/jira/browse/SPARK-6305 where a lot of information can be read regarding the problem with dependencies and bumping log4j to 2.x Regarding CVE-2021-4104 @bradbm stated, supposedly this only affects if you have JMSAppender on your Log4j configuration, which Spark doesn't use by default. If your application uses JMSAppender you can see mitigations here https://access.redhat.com/security/cve/CVE-2021-4104 so you're not vulnerable. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
