As noted, there is no known effect on Spark, as released versions do not use an affected log4j version and configuration, thus no documentation about remediation. It is in any event a good idea to update to 2.x; please see JIRA for the log4j 2.x update, which will come in Spark 3.3.0 as this is all discussed in depth there. There is no release date for Spark 3.3.0, but likely in a few months.
On Wed, Jan 12, 2022 at 8:59 AM Juan Liu <liuj...@cn.ibm.com> wrote: > Dear Spark support, > > Due to the known log4j security issue, we are required to upgrade log4j > version to 2.17.1. Currently, we use Spark3.1.2 with default log4j 1.2.17. > Also we found log4j configuration document here: > https://spark.apache.org/docs/3.2.0/configuration.html#configuring-logging > > Our questions: > > - Does Spark 3.1.2 support log4j v2.17.1? how to upgrade log4j from > 1.* to 2.17.1 in Spark? would you pls help to provide guidance? > - If Spark 3.1.2 doesn't support log4j v2.17.1, then how about Spark > 3.2? pls also help to provide guidance, thanks! > - We found Spark 3.3 will support log4j migrate from 1 to 2 in this > ticket: https://issues.apache.org/jira/browse/SPARK-37814, also I > noticed all sub-tasks are done except one. it's awesome! would you pls > help to advise your target release day? if it's in very near future, like > Jan, maybe we can wait for 3.3. > > > BTW, as log4j issue is very popular security issue, it's better if Spark > team could post the solution directly in security page ( > https://spark.apache.org/security.html) to benefit end user. > > Anyway, thank you so much for providing such a powerful tool for us, and > thanks for your patience to read and reply this mail. Have a good day! > > *Juan Liu (刘娟) **PMP**®* > Release Management, Watson Health, China Development Lab > Email: liuj...@cn.ibm.com > Phone: 86-10-82452506 > > > >
