You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@spark.apache.org by Artemis User <ar...@dtechspace.com> on 2022/01/12 15:07:11 UTC

Re: Does Spark 3.1.2/3.2 support log4j 2.17.1+, and how? your target release day for Spark3.3?

There was a discussion on this issue couple of weeks ago.  Basically if 
you look at the CVE definition of Log4j, the vulnerability only affects 
certain versions of log4j 2.x, not 1.x.  Since Spark doesn't use any of 
the affected log4j versions, this shouldn't be a concern..

https://lists.apache.org/list?user@spark.apache.org:lte=1M:Log4j

On 1/12/22 9:50 AM, Juan Liu wrote:
> Dear Spark support,
>
> Due to the known log4j security issue, we are required to upgrade 
> log4j version to 2.17.1. Currently, we use Spark3.1.2 with default 
> log4j 1.2.17. Also we found log4j configuration document here: 
> https://spark.apache.org/docs/3.2.0/configuration.html#configuring-logging 
> <https://spark.apache.org/docs/3.2.0/configuration.html#configuring-logging>
>
> Our questions:
>
>   * Does Spark 3.1.2 support log4j v2.17.1? how to upgrade log4j from
>     1.* to 2.17.1 in Spark? would you pls help to provide guidance?
>   * If Spark 3.1.2 doesn't support log4j v2.17.1, then how about Spark
>     3.2? pls also help to provide guidance, thanks!
>   * We found Spark 3.3 will support log4j migrate from 1 to 2 in this
>     ticket: https://issues.apache.org/jira/browse/SPARK-37814
>     <https://issues.apache.org/jira/browse/SPARK-37814>, also I
>     noticed all sub-tasks are done except one.  it's awesome! would
>     you pls help to advise your target release day? if it's in very
>     near future, like Jan, maybe we can wait for 3.3.
>
>
> BTW, as log4j issue is very popular security issue, it's better if 
> Spark team could post the solution directly in security page 
> (https://spark.apache.org/security.html 
> <https://spark.apache.org/security.html>) to benefit end user.
>
> Anyway, thank you so much for providing such a powerful tool for us, 
> and thanks for your patience to read and reply this mail. Have a good day!
>
> *Juan Liu (刘娟) **PMP**®* 	
> 	
>
> 	
> Release Management, Watson Health, China Development Lab
> Email: liujuan@cn.ibm.com
> Phone: 86-10-82452506 	
>
> 	
> 	
>
> 	
> 	
>
>
>
>