You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@spark.apache.org by Juan Liu <li...@cn.ibm.com> on 2022/01/12 14:50:20 UTC
Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?
Dear Spark support,
Due to the known log4j security issue, we are required to upgrade log4j
version to 2.17.1. Currently, we use Spark3.1.2 with default log4j 1.2.17.
Also we found log4j configuration document here:
https://spark.apache.org/docs/3.2.0/configuration.html#configuring-logging
Our questions:
Does Spark 3.1.2 support log4j v2.17.1? how to upgrade log4j from 1.* to
2.17.1 in Spark? would you pls help to provide guidance?
If Spark 3.1.2 doesn't support log4j v2.17.1, then how about Spark 3.2?
pls also help to provide guidance, thanks!
We found Spark 3.3 will support log4j migrate from 1 to 2 in this ticket:
https://issues.apache.org/jira/browse/SPARK-37814 , also I noticed all
sub-tasks are done except one. it's awesome! would you pls help to advise
your target release day? if it's in very near future, like Jan, maybe we
can wait for 3.3.
BTW, as log4j issue is very popular security issue, it's better if Spark
team could post the solution directly in security page (
https://spark.apache.org/security.html) to benefit end user.
Anyway, thank you so much for providing such a powerful tool for us, and
thanks for your patience to read and reply this mail. Have a good day!
Juan Liu (刘娟) PMP®
Release Management, Watson Health, China Development Lab
Email: liujuan@cn.ibm.com
Phone: 86-10-82452506
RE: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?
Posted by "Crowe, John" <Jo...@tditechnologies.com>.
I get that Sean, I really do, but customers being customers, they see Log4j, and they panic.. I’ve been telling them since this began that Version 1x is not affected, but.. but..
Letting them know that 2.17.1 is on the way, IS helpful, but of course they ask us when is it coming? Just trying to reduce the madness.. 😊
Regards;
John Crowe
TDi Technologies, Inc.
1600 10th Street Suite B
Plano, TX 75074
(800) 695-1258
Support@TDiTechnologies.com<ma...@TDiTechnologies.com>
From: Sean Owen <sr...@gmail.com>
Sent: Wednesday, January 12, 2022 10:23 AM
To: Crowe, John <Jo...@tditechnologies.com>
Cc: user@spark.apache.org
Subject: Re: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?
Again: the CVE has no known effect on released Spark versions. Spark 3.3 will have log4j 2.x anyway.
On Wed, Jan 12, 2022 at 10:21 AM Crowe, John <Jo...@tditechnologies.com>> wrote:
I too would like to know when you anticipate Spark 3.3.0 to be released due to the Log4j CVE’s.
Our customers are all quite concerned.
Regards;
John Crowe
TDi Technologies, Inc.
1600 10th Street Suite B
Plano, TX 75074
(800) 695-1258
Support@TDiTechnologies.com<ma...@TDiTechnologies.com>
From: Juan Liu <li...@cn.ibm.com>>
Sent: Wednesday, January 12, 2022 8:50 AM
To: user@spark.apache.org<ma...@spark.apache.org>
Cc: Theodore J Griesenbrock <te...@ibm.com>>
Subject: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?
Dear Spark support,
Due to the known log4j security issue, we are required to upgrade log4j version to 2.17.1. Currently, we use Spark3.1.2 with default log4j 1.2.17. Also we found log4j configuration document here: https://spark.apache.org/docs/3.2.0/configuration.html#configuring-logging
Our questions:
* Does Spark 3.1.2 support log4j v2.17.1? how to upgrade log4j from 1.* to 2.17.1 in Spark? would you pls help to provide guidance?
* If Spark 3.1.2 doesn't support log4j v2.17.1, then how about Spark 3.2? pls also help to provide guidance, thanks!
* We found Spark 3.3 will support log4j migrate from 1 to 2 in this ticket: https://issues.apache.org/jira/browse/SPARK-37814, also I noticed all sub-tasks are done except one. it's awesome! would you pls help to advise your target release day? if it's in very near future, like Jan, maybe we can wait for 3.3.
BTW, as log4j issue is very popular security issue, it's better if Spark team could post the solution directly in security page (https://spark.apache.org/security.html) to benefit end user.
Anyway, thank you so much for providing such a powerful tool for us, and thanks for your patience to read and reply this mail. Have a good day!
Juan Liu (刘娟) PMP®
Release Management, Watson Health, China Development Lab
Email: liujuan@cn.ibm.com<ma...@cn.ibm.com>
Phone: 86-10-82452506
Re: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?
Posted by Sean Owen <sr...@gmail.com>.
Again: the CVE has no known effect on released Spark versions. Spark 3.3
will have log4j 2.x anyway.
On Wed, Jan 12, 2022 at 10:21 AM Crowe, John <Jo...@tditechnologies.com>
wrote:
> I too would like to know when you anticipate Spark 3.3.0 to be released
> due to the Log4j CVE’s.
>
> Our customers are all quite concerned.
>
>
>
>
>
> Regards;
>
> John Crowe
>
> TDi Technologies, Inc.
>
> 1600 10th Street Suite B
>
> Plano, TX 75074
>
> (800) 695-1258
>
> Support@TDiTechnologies.com
>
>
>
> *From:* Juan Liu <li...@cn.ibm.com>
> *Sent:* Wednesday, January 12, 2022 8:50 AM
> *To:* user@spark.apache.org
> *Cc:* Theodore J Griesenbrock <te...@ibm.com>
> *Subject:* Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your
> target release day for Spark3.3?
>
>
>
> Dear Spark support,
>
> Due to the known log4j security issue, we are required to upgrade log4j
> version to 2.17.1. Currently, we use Spark3.1.2 with default log4j 1.2.17.
> Also we found log4j configuration document here:
> https://spark.apache.org/docs/3.2.0/configuration.html#configuring-logging
>
> Our questions:
>
> - Does Spark 3.1.2 support log4j v2.17.1? how to upgrade log4j from
> 1.* to 2.17.1 in Spark? would you pls help to provide guidance?
> - If Spark 3.1.2 doesn't support log4j v2.17.1, then how about Spark
> 3.2? pls also help to provide guidance, thanks!
> - We found Spark 3.3 will support log4j migrate from 1 to 2 in this
> ticket: https://issues.apache.org/jira/browse/SPARK-37814, also I
> noticed all sub-tasks are done except one. it's awesome! would you pls
> help to advise your target release day? if it's in very near future, like
> Jan, maybe we can wait for 3.3.
>
>
> BTW, as log4j issue is very popular security issue, it's better if Spark
> team could post the solution directly in security page (
> https://spark.apache.org/security.html) to benefit end user.
>
> Anyway, thank you so much for providing such a powerful tool for us, and
> thanks for your patience to read and reply this mail. Have a good day!
>
> *Juan Liu (**刘娟**) **PMP**®*
>
> Release Management, Watson Health, China Development Lab
> Email: liujuan@cn.ibm.com
> Phone: 86-10-82452506
>
>
>
>
RE: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?
Posted by "Crowe, John" <Jo...@tditechnologies.com>.
I too would like to know when you anticipate Spark 3.3.0 to be released due to the Log4j CVE’s.
Our customers are all quite concerned.
Regards;
John Crowe
TDi Technologies, Inc.
1600 10th Street Suite B
Plano, TX 75074
(800) 695-1258
Support@TDiTechnologies.com<ma...@TDiTechnologies.com>
From: Juan Liu <li...@cn.ibm.com>
Sent: Wednesday, January 12, 2022 8:50 AM
To: user@spark.apache.org
Cc: Theodore J Griesenbrock <te...@ibm.com>
Subject: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?
Dear Spark support,
Due to the known log4j security issue, we are required to upgrade log4j version to 2.17.1. Currently, we use Spark3.1.2 with default log4j 1.2.17. Also we found log4j configuration document here: https://spark.apache.org/docs/3.2.0/configuration.html#configuring-logging
Our questions:
* Does Spark 3.1.2 support log4j v2.17.1? how to upgrade log4j from 1.* to 2.17.1 in Spark? would you pls help to provide guidance?
* If Spark 3.1.2 doesn't support log4j v2.17.1, then how about Spark 3.2? pls also help to provide guidance, thanks!
* We found Spark 3.3 will support log4j migrate from 1 to 2 in this ticket: https://issues.apache.org/jira/browse/SPARK-37814, also I noticed all sub-tasks are done except one. it's awesome! would you pls help to advise your target release day? if it's in very near future, like Jan, maybe we can wait for 3.3.
BTW, as log4j issue is very popular security issue, it's better if Spark team could post the solution directly in security page (https://spark.apache.org/security.html) to benefit end user.
Anyway, thank you so much for providing such a powerful tool for us, and thanks for your patience to read and reply this mail. Have a good day!
Juan Liu (刘娟) PMP®
Release Management, Watson Health, China Development Lab
Email: liujuan@cn.ibm.com<ma...@cn.ibm.com>
Phone: 86-10-82452506
Re: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?
Posted by Sean Owen <sr...@gmail.com>.
This very user@ list -- announcements will go to all the lists.
On Wed, Jan 19, 2022 at 11:50 AM Theodore J Griesenbrock <te...@ibm.com>
wrote:
> Again, sorry to bother you.
>
> What is the best option available to ensure we get notified when a new
> version is released for Apache Spark? I do not see any RSS feeds, nor do I
> see any e-mail subscription option for this page:
> https://spark.apache.org/news/index.html
>
>
RE: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?
Posted by "Bode, Meikel, NM-X-DS" <Me...@Bertelsmann.de>.
Hello Juan Liu,
The release process is well documented (see last step on announcement):
https://spark.apache.org/release-process.html
To (un)subcribe to the mailing lists see:
https://spark.apache.org/community.html
Best,
Meikel
Meikel Bode, MSc
Senior Manager | Head of SAP Data Platforms & Analytics
-------------------------------------------------
Postal address:
Arvato Systems GmbH
Reinhard-Mohn-Straße 200
33333 Gütersloh
Germany
Visitor address:
Arvato Systems GmbH
Fuggerstraße 11
33689 Bielefeld
Germany
Phone: +49(5241)80-89734
Mobile: +49(151)14774185
E-Mail: Meikel.Bode@Bertelsmann.de<ma...@Bertelsmann.de>
arvato-systems.de<https://www.arvato-systems.de/>
From: Juan Liu <li...@cn.ibm.com>
Sent: Donnerstag, 20. Januar 2022 09:44
To: Bode, Meikel, NM-X-DS <Me...@Bertelsmann.de>
Cc: srowen@gmail.com; Theodore J Griesenbrock <te...@ibm.com>; user@spark.apache.org
Subject: RE: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?
Sie erhalten nicht oft E-Mail von "liujuan@cn.ibm.com<ma...@cn.ibm.com>". Weitere Informationen, warum dies wichtig ist<http://aka.ms/LearnAboutSenderIdentification>
hi, Meikel, would you pls help to add both of us (teej@ibm.com<ma...@ibm.com>, liujuan@cn.ibm.com<ma...@cn.ibm.com>) to mailing lists: user@spark.apache.org<ma...@spark.apache.org> ? thanks!
Juan Liu (刘娟) PMP®
Release Manager, Watson Health, China Development Lab
Email: liujuan@cn.ibm.com<ma...@cn.ibm.com>
Mobile: 86-13521258532
From: "Bode, Meikel, NM-X-DS" <Me...@Bertelsmann.de>>
To: "Theodore J Griesenbrock" <te...@ibm.com>>, "srowen@gmail.com<ma...@gmail.com>" <sr...@gmail.com>>
Cc: "Juan Liu" <li...@cn.ibm.com>>, "user@spark.apache.org<ma...@spark.apache.org>" <us...@spark.apache.org>>
Date: 2022/01/20 03:05 PM
Subject: [EXTERNAL] RE: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?
________________________________
Hi, New releases are announced via mailing lists user@spark.apache.org<ma...@spark.apache.org> & dev@spark.apache.org<ma...@spark.apache.org>. Best, Meikel From: Theodore J Griesenbrock <te...@ibm.com>> Sent: Mittwoch, 19. ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
ZjQcmQRYFpfptBannerEnd
Hi,
New releases are announced via mailing lists user@spark.apache.org<ma...@spark.apache.org>& dev@spark.apache.org<ma...@spark.apache.org>.
Best,
Meikel
From:Theodore J Griesenbrock <te...@ibm.com>>
Sent: Mittwoch, 19. Januar 2022 18:50
To: srowen@gmail.com<ma...@gmail.com>
Cc: Juan Liu <li...@cn.ibm.com>>; user@spark.apache.org<ma...@spark.apache.org>
Subject: RE: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?
Sie erhalten nicht oft E-Mail von "teej@ibm.com<ma...@ibm.com>". Weitere Informationen, warum dies wichtig ist<http://aka.ms/LearnAboutSenderIdentification>
Again, sorry to bother you.
What is the best option available to ensure we get notified when a new version is released for Apache Spark? I do not see any RSS feeds, nor do I see any e-mail subscription option for this page: https://spark.apache.org/news/index.html<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fspark.apache.org%2Fnews%2Findex.html&data=04%7C01%7CMeikel.Bode%40Bertelsmann.de%7Cebcdc2fa4d024e3886e708d9dbf110ed%7C1ca8bd943c974fc68955bad266b43f0b%7C0%7C0%7C637782650703280903%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=8Y8ihxZl9ox%2F7EcFuDeLA0y3W0UOzVagr1dPZFuVDoA%3D&reserved=0>
Please let me know what we can do to ensure we stay up to date with the news.
Thanks!
-T.J.
T.J. Griesenbrock
Technical Release Manager
Watson Health
He/Him/His
+1 (602) 377-7673 (Text only)
teej@ibm.com<ma...@ibm.com>
IBM
----- Original message -----
From: "Sean Owen" <sr...@gmail.com>>
To: "Juan Liu" <li...@cn.ibm.com>>
Cc: "Theodore J Griesenbrock" <te...@ibm.com>>, "User" <us...@spark.apache.org>>
Subject: [EXTERNAL] Re: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?
Date: Thu, Jan 13, 2022 08:05
Yes, Spark does not use the SocketServer mentioned in CVE-2019-17571, however, so is not affected.
3.3.0 would probably be out in a couple months.
On Thu, Jan 13, 2022 at 3:14 AM Juan Liu <li...@cn.ibm.com>> wrote:
We are informed that CVE-2021-4104 is not only problem with Log4J 1.x. There is one more CVE-2019-17571, and as Apache announced EOL in 2015, so Spark 3.3.0 will be very expected. Do you think middle 2022 is a reasonable time for Spark 3.3.0 release?
Juan Liu (刘娟) PMP®
Release Management, Watson Health, China Development Lab
Email: liujuan@cn.ibm.com<ma...@cn.ibm.com>
Phone: 86-10-82452506
--------------------------------------------------------------------- To unsubscribe e-mail: user-unsubscribe@spark.apache.org<ma...@spark.apache.org>
RE: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?
Posted by "Bode, Meikel, NM-X-DS" <Me...@Bertelsmann.de>.
Hi,
New releases are announced via mailing lists user@spark.apache.org<ma...@spark.apache.org> & dev@spark.apache.org<ma...@spark.apache.org>.
Best,
Meikel
From: Theodore J Griesenbrock <te...@ibm.com>
Sent: Mittwoch, 19. Januar 2022 18:50
To: srowen@gmail.com
Cc: Juan Liu <li...@cn.ibm.com>; user@spark.apache.org
Subject: RE: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?
Sie erhalten nicht oft E-Mail von "teej@ibm.com<ma...@ibm.com>". Weitere Informationen, warum dies wichtig ist<http://aka.ms/LearnAboutSenderIdentification>
Again, sorry to bother you.
What is the best option available to ensure we get notified when a new version is released for Apache Spark? I do not see any RSS feeds, nor do I see any e-mail subscription option for this page: https://spark.apache.org/news/index.html<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fspark.apache.org%2Fnews%2Findex.html&data=04%7C01%7CMeikel.Bode%40bertelsmann.de%7C50197a78ba4b4bef3ca108d9db77e438%7C1ca8bd943c974fc68955bad266b43f0b%7C0%7C0%7C637782130240616190%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2BtL780hmjJoLAFTiNjQc%2FB7QtPU2u1dyW%2B1LhkXWL7o%3D&reserved=0>
Please let me know what we can do to ensure we stay up to date with the news.
Thanks!
-T.J.
T.J. Griesenbrock
Technical Release Manager
Watson Health
He/Him/His
+1 (602) 377-7673 (Text only)
teej@ibm.com<ma...@ibm.com>
IBM
----- Original message -----
From: "Sean Owen" <sr...@gmail.com>>
To: "Juan Liu" <li...@cn.ibm.com>>
Cc: "Theodore J Griesenbrock" <te...@ibm.com>>, "User" <us...@spark.apache.org>>
Subject: [EXTERNAL] Re: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?
Date: Thu, Jan 13, 2022 08:05
Yes, Spark does not use the SocketServer mentioned in CVE-2019-17571, however, so is not affected.
3.3.0 would probably be out in a couple months.
On Thu, Jan 13, 2022 at 3:14 AM Juan Liu <li...@cn.ibm.com>> wrote:
We are informed that CVE-2021-4104 is not only problem with Log4J 1.x. There is one more CVE-2019-17571, and as Apache announced EOL in 2015, so Spark 3.3.0 will be very expected. Do you think middle 2022 is a reasonable time for Spark 3.3.0 release?
Juan Liu (刘娟) PMP®
Release Management, Watson Health, China Development Lab
Email: liujuan@cn.ibm.com<ma...@cn.ibm.com>
Phone: 86-10-82452506
--------------------------------------------------------------------- To unsubscribe e-mail: user-unsubscribe@spark.apache.org<ma...@spark.apache.org>
RE: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?
Posted by Theodore J Griesenbrock <te...@ibm.com>.
Again, sorry to bother you.
What is the best option available to ensure we get notified when a new version
is released for Apache Spark? I do not see any RSS feeds, nor do I see any
e-mail subscription option for this page:
<https://spark.apache.org/news/index.html>
Please let me know what we can do to ensure we stay up to date with the news.
Thanks!
-T.J.
**T.J. Griesenbrock**
Technical Release Manager
Watson Health
He/Him/His
+1 (602) 377-7673 (Text only)
teej@ibm.com
IBM
> \----- Original message -----
> From: "Sean Owen" <sr...@gmail.com>
> To: "Juan Liu" <li...@cn.ibm.com>
> Cc: "Theodore J Griesenbrock" <te...@ibm.com>, "User" <us...@spark.apache.org>
> Subject: [EXTERNAL] Re: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how?
> your target release day for Spark3.3?
> Date: Thu, Jan 13, 2022 08:05
>
>
>
> Yes, Spark does not use the SocketServer mentioned in CVE-2019-17571,
> however, so is not affected.
>
> 3.3.0 would probably be out in a couple months.
>
>
>
> On Thu, Jan 13, 2022 at 3:14 AM Juan Liu
> <[liujuan@cn.ibm.com](mailto:liujuan@cn.ibm.com)> wrote:
>
>> We are informed that CVE-2021-4104 is not only problem with Log4J 1.x.
There is one more CVE-2019-17571, and as Apache announced EOL in 2015, so
Spark 3.3.0 will be very expected. Do you think middle 2022 is a reasonable
time for Spark 3.3.0 release?
> **Juan Liu (刘娟)** **PMP** **®** |
>>
>>
>>
>> |
>> ---|---|---
>> |
>> Release Management, Watson Health, China Development Lab
> Email: [liujuan@cn.ibm.com](mailto:liujuan@cn.ibm.com)
> Phone: 86-10-82452506 |
>>
>>
>>
>> | |
>> | |
>>
>
>
\--------------------------------------------------------------------- To
unsubscribe e-mail: user-unsubscribe@spark.apache.org
Re: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?
Posted by Sean Owen <sr...@gmail.com>.
Yes, Spark does not use the SocketServer mentioned in CVE-2019-17571,
however, so is not affected.
3.3.0 would probably be out in a couple months.
On Thu, Jan 13, 2022 at 3:14 AM Juan Liu <li...@cn.ibm.com> wrote:
> We are informed that CVE-2021-4104 is not only problem with Log4J 1.x.
> There is one more CVE-2019-17571, and as Apache announced EOL in 2015, so
> Spark 3.3.0 will be very expected. Do you think middle 2022 is a reasonable
> time for Spark 3.3.0 release?
>
> *Juan Liu (刘娟) **PMP**®*
> Release Management, Watson Health, China Development Lab
> Email: liujuan@cn.ibm.com
> Phone: 86-10-82452506
>
>
>
>
Re: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?
Posted by Sean Owen <sr...@gmail.com>.
As noted, there is no known effect on Spark, as released versions do not
use an affected log4j version and configuration, thus no documentation
about remediation.
It is in any event a good idea to update to 2.x; please see JIRA for the
log4j 2.x update, which will come in Spark 3.3.0 as this is all discussed
in depth there.
There is no release date for Spark 3.3.0, but likely in a few months.
On Wed, Jan 12, 2022 at 8:59 AM Juan Liu <li...@cn.ibm.com> wrote:
> Dear Spark support,
>
> Due to the known log4j security issue, we are required to upgrade log4j
> version to 2.17.1. Currently, we use Spark3.1.2 with default log4j 1.2.17.
> Also we found log4j configuration document here:
> https://spark.apache.org/docs/3.2.0/configuration.html#configuring-logging
>
> Our questions:
>
> - Does Spark 3.1.2 support log4j v2.17.1? how to upgrade log4j from
> 1.* to 2.17.1 in Spark? would you pls help to provide guidance?
> - If Spark 3.1.2 doesn't support log4j v2.17.1, then how about Spark
> 3.2? pls also help to provide guidance, thanks!
> - We found Spark 3.3 will support log4j migrate from 1 to 2 in this
> ticket: https://issues.apache.org/jira/browse/SPARK-37814, also I
> noticed all sub-tasks are done except one. it's awesome! would you pls
> help to advise your target release day? if it's in very near future, like
> Jan, maybe we can wait for 3.3.
>
>
> BTW, as log4j issue is very popular security issue, it's better if Spark
> team could post the solution directly in security page (
> https://spark.apache.org/security.html) to benefit end user.
>
> Anyway, thank you so much for providing such a powerful tool for us, and
> thanks for your patience to read and reply this mail. Have a good day!
>
> *Juan Liu (刘娟) **PMP**®*
> Release Management, Watson Health, China Development Lab
> Email: liujuan@cn.ibm.com
> Phone: 86-10-82452506
>
>
>
>
Re: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?
Posted by Artemis User <ar...@dtechspace.com>.
There was a discussion on this issue couple of weeks ago. Basically if
you look at the CVE definition of Log4j, the vulnerability only affects
certain versions of log4j 2.x, not 1.x. Since Spark doesn't use any of
the affected log4j versions, this shouldn't be a concern..
https://lists.apache.org/list?user@spark.apache.org:lte=1M:Log4j
On 1/12/22 9:50 AM, Juan Liu wrote:
> Dear Spark support,
>
> Due to the known log4j security issue, we are required to upgrade
> log4j version to 2.17.1. Currently, we use Spark3.1.2 with default
> log4j 1.2.17. Also we found log4j configuration document here:
> https://spark.apache.org/docs/3.2.0/configuration.html#configuring-logging
> <https://spark.apache.org/docs/3.2.0/configuration.html#configuring-logging>
>
> Our questions:
>
> * Does Spark 3.1.2 support log4j v2.17.1? how to upgrade log4j from
> 1.* to 2.17.1 in Spark? would you pls help to provide guidance?
> * If Spark 3.1.2 doesn't support log4j v2.17.1, then how about Spark
> 3.2? pls also help to provide guidance, thanks!
> * We found Spark 3.3 will support log4j migrate from 1 to 2 in this
> ticket: https://issues.apache.org/jira/browse/SPARK-37814
> <https://issues.apache.org/jira/browse/SPARK-37814>, also I
> noticed all sub-tasks are done except one. it's awesome! would
> you pls help to advise your target release day? if it's in very
> near future, like Jan, maybe we can wait for 3.3.
>
>
> BTW, as log4j issue is very popular security issue, it's better if
> Spark team could post the solution directly in security page
> (https://spark.apache.org/security.html
> <https://spark.apache.org/security.html>) to benefit end user.
>
> Anyway, thank you so much for providing such a powerful tool for us,
> and thanks for your patience to read and reply this mail. Have a good day!
>
> *Juan Liu (刘娟) **PMP**®*
>
>
>
> Release Management, Watson Health, China Development Lab
> Email: liujuan@cn.ibm.com
> Phone: 86-10-82452506
>
>
>
>
>
>
>
>
>
>