Problem:
The open source component Apache Log4J versions 2.0 through 2.14.1, inclusive contains a critical security vulnerability CVE-2021-44228.
Solution:
We can consider the ticket as a solution delivered when we achieve either of the following:
1. A resolution for this issue is discovered, if possible.
2. A suitable workaround is found and accepted by you if one exists.
3. This is found to be a bug (in which case it will be addressed based on the life cycle).
4. This is found to be working as designed.
5. This is found to be an issue with a third-party product.
If you determine that you have done so, we advise to stop using an affected version of log4j until you upgrade to log4j version 2.15.x or reconfigure any affected service with the known temporary mitigation implemented (log4j2.formatMsgNoLookups set to true). Please restart the cluster once you have added the mitigation.
The steps to do so are:
- Edit the cluster and job with the spark conf “spark.driver.extraJavaOptions” and “spark.executor.extraJavaOptions” set to "-Dlog4j2.formatMsgNoLookups=true"
- Confirm edit to restart the cluster, or simply trigger a new job run which will use the updated java options.
- You can confirm that these settings have taken effect in the “Spark UI” tab, under “Environment”
Case #: CAS-01107-B8B9P2
Case Link: Case
Article: Here