Critical vulnerability in Apache Log4j library (CVE-2021-44228) #6608
Locked
maziyarpanahi
announced in
Announcement
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi everyone,
As it is explained in Apache Log4j Security Vulnerabilities, versions of log4j 2.14.1 and under of the library, JNDI features used in the configuration, log messages, and parameters, do not protect against attacker-controlled LDAP and other JNDI-related endpoints. It is also known as
Log4shell.How does this affect Spark NLP?
Short answer:
It does not! The issue is with log4j version 2.x hence the name
log4j2vulnerability and Apache Spark useslog4j 1.x.Longer answer:
This project (
spark-nlp) doesn't have any dependency onlog4j. As you may know, this dependency is inherited fromspark-corefrom the Apache Spark project. That's being said, all the major and minor releases of Apache Spark (even the latest3.2.0) are using log4j 1.x releases.So when it comes to Spark NLP and Apache Spark the log4j used is 1.x and doesn't need any further action regarding
CVE-2021-44228vulnerability. However, since you might be using other third-party dependencies that might use log4j 2.x I would ike to share a possible solution/workaround that will keep you and your clusters safe until everything is updated everywhere:If any dependency in your Apache Spark session uses
log4j 2.xthis config will disable the problematic lookup. You can also keep an eye on the list of the affected software to upgrade quickly and be safe: https://github.com/NCSC-NL/log4shell/tree/main/softwareWe will keep updating this thread with any new future development.
UPDATE 1:
Databricks Log4j2 Vulnerability (CVE-2021-44228) Research and Assessment
Beta Was this translation helpful? Give feedback.
All reactions