Details
-
Improvement
-
Status: Resolved
-
Critical
-
Resolution: Duplicate
-
3.2.1
-
None
-
None
-
Important
Description
As there are numerous vulnerabilities in log4j and the project is no longer actively supported, Can we upgrade spark-sql Java library from log4j to slf4j.
This will also enable to easily integrate with log4j, logback and log4j2 without a breaking change.
Maven Dependency
<dependency>
<groupId>org.apache.spark</groupId>
<artifactId>spark-sql_2.13</artifactId>
<version>3.2.1</version>
</dependency>
Vulnerabilities
---------------------------------------------------------------
| SEVERITY | LIBRARY | ID |
|---------- | ----------------------------- | ----------------|
| HIGH | log4j-1.2.17.jar | CVE-2019-17571 |
|---------- | ----------------------------- | ----------------|
| HIGH | log4j-1.2.17.jar | CVE-2020-9493 |
|---------- | ----------------------------- | ----------------|
| HIGH | log4j-1.2.17.jar | CVE-2021-4104 |
|---------- | ----------------------------- | ----------------|
| HIGH | log4j-1.2.17.jar | CVE-2022-23302 |
|---------- | ----------------------------- | ----------------|
| HIGH | log4j-1.2.17.jar | CVE-2022-23305 |
|---------- | ----------------------------- | ----------------|
| HIGH | log4j-1.2.17.jar | CVE-2022-23307 |
|---------- | ----------------------------- | ----------------|
| LOW | log4j-1.2.17.jar | CVE-2020-9488 |
---------------------------------------------------------------
Attachments
Issue Links
- duplicates
-
SPARK-37814 Migrating from log4j 1 to log4j 2
- Resolved