[LIVY-878] Log4j upgrade for Livy 0.8.0 version - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 0.8.0
Component/s: None
Labels:
None

Description

We are looking for an advise from you in context of the below mentioned issue:

A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub on December 9, 2021.

The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1.

Apache Livy version 0.7.0 version is being used by our team for processing the spark jobs . It uses the Log4j 1.x.x. which is not having any continued support.

We would like to upgrade the Log4j versions to the latest stable version 2.15 without having any impact on the installations .

Could you please recommend the possible ways to do the upgrade .Please note , we are not looking to upgrade the Livy version to 0.7.1 to resolve this issue .

Our requirement is to retain the current installed version and configurations with only changes in the Log4j versions

Attachments

Issue Links

is related to

LIVY-884 replace log4jv1 usage - EOL and with multiple security vulnerabilities

Open

Activity

People

Assignee:: Damon Cortesi

Reporter:: Tinu Jose

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 17/Dec/21 12:59

Updated:: 26/Apr/23 21:46

Resolved:: 26/Apr/23 21:46

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

2h 50m