You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@spark.apache.org by "Ismail H (Jira)" <ji...@apache.org> on 2021/12/16 16:07:00 UTC

[jira] [Comment Edited] (SPARK-37630) Security issue from Log4j 1.X exploit

    [ https://issues.apache.org/jira/browse/SPARK-37630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17460832#comment-17460832 ] 

Ismail H edited comment on SPARK-37630 at 12/16/21, 4:06 PM:
-------------------------------------------------------------

to [~divekarsc] , extract from https://access.redhat.com/security/cve/CVE-2021-4104 :
bq. Note this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker's JMS Broker.

so the question is, is Spark using JMSAppender ?


was (Author: JIRAUSER281735):
to [~divekarsc] , extract from https://access.redhat.com/security/cve/CVE-2021-4104 :
bq. Note this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker's JMS Broker. bq. 

so the question is, is Spark using JMSAppender ?

> Security issue from Log4j 1.X exploit
> -------------------------------------
>
>                 Key: SPARK-37630
>                 URL: https://issues.apache.org/jira/browse/SPARK-37630
>             Project: Spark
>          Issue Type: Bug
>          Components: Spark Core
>    Affects Versions: 2.4.8, 3.2.0
>            Reporter: Ismail H
>            Priority: Major
>              Labels: security
>
> log4j is being used in version [1.2.17|#L122]]
>  
> This version has been deprecated and since [then have a known issue that hasn't been adressed in 1.X versions|https://www.cvedetails.com/cve/CVE-2019-17571/].
>  
> *Solution:*
>  * Upgrade log4j to version 2.15.0 which correct all known issues. [Last known issues |https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228]



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org