Yes, Spark does not use the SocketServer mentioned in CVE-2019-17571, however, so is not affected. 3.3.0 would probably be out in a couple months.
On Thu, Jan 13, 2022 at 3:14 AM Juan Liu <liuj...@cn.ibm.com> wrote: > We are informed that CVE-2021-4104 is not only problem with Log4J 1.x. > There is one more CVE-2019-17571, and as Apache announced EOL in 2015, so > Spark 3.3.0 will be very expected. Do you think middle 2022 is a reasonable > time for Spark 3.3.0 release? > > *Juan Liu (刘娟) **PMP**®* > Release Management, Watson Health, China Development Lab > Email: liuj...@cn.ibm.com > Phone: 86-10-82452506 > > > >
