You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@livy.apache.org by "PJ Fanning (Jira)" <ji...@apache.org> on 2022/02/09 15:25:00 UTC
[jira] [Commented] (LIVY-878) Log4j upgrade for Livy 0.7.0 version
[ https://issues.apache.org/jira/browse/LIVY-878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17489638#comment-17489638 ]
PJ Fanning commented on LIVY-878:
---------------------------------
[~tinujose] you could try replacing the log4j jars in your deploy with [https://reload4j.qos.ch/]
Or you can replace the log4j jars in your deploy with log4j-1.2-api (a bit more complicated to set up - see https://logging.apache.org/log4j/2.x/manual/migration.html)
> Log4j upgrade for Livy 0.7.0 version
> -------------------------------------
>
> Key: LIVY-878
> URL: https://issues.apache.org/jira/browse/LIVY-878
> Project: Livy
> Issue Type: Bug
> Reporter: Tinu Jose
> Priority: Major
>
> We are looking for an advise from you in context of the below mentioned issue:
>
> *A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub on December 9, 2021.*
> *The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1.*
>
> Apache Livy version 0.7.0 version is being used by our team for processing the spark jobs . It uses the Log4j 1.x.x. which is not having any continued support.
> We would like to upgrade the Log4j versions to the latest stable version 2.15 without having any impact on the installations .
>
> Could you please recommend the possible ways to do the upgrade .Please note , we are not looking to upgrade the Livy version to 0.7.1 to resolve this issue .
> Our requirement is to retain the current installed version and configurations with only changes in the Log4j versions
--
This message was sent by Atlassian Jira
(v8.20.1#820001)