You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@hadoop.apache.org by Pulkit Chawla <pu...@oracle.com> on 2021/09/14 11:14:24 UTC

Log4j upgrade to 2.x in hadoop for vulnerability fix

Hi,

Hadoop uses log4j1 even in latest versions. I am concerned about the log4j1 vulnerabilities related to network listening.

Wanted to know the risk for keep using log4j1 in Hadoop.
Does it uses those log4j network classes? If no, can we completely remove it? If yes, how can we lessen the risk? Does creating a secure Kerberos network prevents those vulnerabilities ?

Can anyone guide me?



Thanks,
Pulkit

Re: Log4j upgrade to 2.x in hadoop for vulnerability fix

Posted by Akira Ajisaka <aa...@apache.org>.

Hi Pulkit,

Hadoop does not use those log4j network classes unless the user and the
administrator configured the setting explicitly.
The issue is tracked by [HADOOP-16206] Migrate from Log4j1 to Log4j2 - ASF
JIRA (apache.org) <https://issues.apache.org/jira/browse/HADOOP-16206>

Thanks,
Akira

On Tue, Sep 14, 2021 at 10:33 PM Pulkit Chawla <pu...@oracle.com>
wrote:

> Hi,
>
>
>
> Hadoop uses log4j1 even in latest versions. I am concerned about the
> log4j1 vulnerabilities related to network listening.
>
>
>
> Wanted to know the risk for keep using log4j1 in Hadoop.
>
> Does it uses those log4j network classes? If no, can we completely remove
> it? If yes, how can we lessen the risk? Does creating a secure Kerberos
> network prevents those vulnerabilities ?
>
>
>
> Can anyone guide me?
>
>
>
>
>
>
>
> Thanks,
>
> Pulkit
>