There is a discussion on Github on this topic and the recommendation is
to upgrade from 1.x to 2.15.0, due to the vulnerability of 1.x:
https://github.com/apache/logging-log4j2/pull/608
This discussion is also referenced by the German Federal Office for
Information Security: https://www.bsi.bund.de/EN/Home/home_node.html
Cheers,
Martin
Am 13.12.21 um 17:02 schrieb Jörn Franke:
Is it in any case appropriate to use log4j 1.x which is not maintained
anymore and has other security vulnerabilities which won’t be fixed
anymore ?
Am 13.12.2021 um 06:06 schrieb Sean Owen <sro...@gmail.com>:
Check the CVE - the log4j vulnerability appears to affect log4j 2,
not 1.x. There was mention that it could affect 1.x when used with
JNDI or SMS handlers, but Spark does neither. (unless anyone can
think of something I'm missing, but never heard or seen that come up
at all in 7 years in Spark)
The big issue would be applications that themselves configure log4j
2.x, but that's not a Spark issue per se.
On Sun, Dec 12, 2021 at 10:46 PM Pralabh Kumar
<pralabhku...@gmail.com> wrote:
Hi developers, users
Spark is built using log4j 1.2.17 . Is there a plan to upgrade
based on recent CVE detected ?
Regards
Pralabh kumar