pyspark 3.2.1 vulnerable for log4j

[adurnan8]

The dependent package, pyspark 3.2.1, includes log4j-1.2.17.jar. That version of log4j is end-of-life and identified as a security vulnerability in Tenable. Is pyspark 3.4.1 compatible with the Deep Learning package?

[scdub]

There is a vulnerability against log4j 1.2.17, CVE-2021-44832. However, this CVE is not considered a high risk one given it requires a complex set of interactions to trigger unlike the earlier extremely critical Log4Shell CVE. I don't think that the log4j maintainers have explicitly EOLed versions, unless I'm missing something. That said, pyspark is included as an optional dependency of one requirement (dtreeviz), and it can safely be removed from the environment if your execution context requires it.

[adurnan8]

Thanks for following up.

Log4j v1 is end of life. For that reason, Tenable considers it a critical vulnerability.

Apache™ Logging Services™ Project Announces Log4j™ 1 End-Of-Life; Recommends Upgrade to Log4j 2 - The Apache Software Foundation Bloghttps://news.apache.org/foundation/entry/apache_logging_services_project_announces Apache™ Logging Services™ Project Announces Log4j™ 1 End-Of-Life; Recommends Upgrade to Log4j 2 - The Apache Software Foundation Bloghttps://news.apache.org/foundation/entry/apache_logging_services_project_announces 5 August 2015 —The Apache Logging Services™ Project Management Committee (PMC) has announced that the Log4j™ 1.x logging framework has reached its end of life (EOL) and is no longer officially supported. Log4j saw its first release in 1999 and quickly became the most used logging framework ever. Over the years the project has released […] news.apache.org Apache Log4j SEoL (<= 1.x) | Tenable®https://www.tenable.com/plugins/nessus/182252 Apache Log4j SEoL (<= 1.x)https://www.tenable.com/plugins/nessus/182252 An unsupported version of Apache Log4j is installed on the remote host. (Nessus Plugin ID 182252) www.tenable.com

---

From: Shaun Walbridge @.> Sent: Wednesday, October 11, 2023 7:30 PM To: Esri/deep-learning-frameworks @.> Cc: Durnan, Andrew P @.>; Author @.> Subject: [EXTERNAL] Re: [Esri/deep-learning-frameworks] pyspark 3.2.1 vulnerable for log4j (Issue #72)

This email has been received from outside of DOI - Use caution before clicking on links, opening attachments, or responding.

There is a vulnerability against log4j 1.2.17, CVE-2021-44832https://github.com/advisories/GHSA-8489-44mv-ggj8. However, this CVE is not considered a high risk one given it requires a complex set of interactions to trigger unlike the earlier extremely critical Log4Shellhttps://en.wikipedia.org/wiki/Log4Shell CVE. I don't think that the log4j maintainers have explicitly EOLed versions, unless I'm missing something. That said, pyspark is included as an optional dependency of one requirement (dtreeviz), and it can safely be removed from the environment if your execution context requires it.

— Reply to this email directly, view it on GitHubhttps://github.com/Esri/deep-learning-frameworks/issues/72#issuecomment-1758774944, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BDFVHK36VZ4IMR43HD33ZHTX65B25ANCNFSM6AAAAAA52XBFQY. You are receiving this because you authored the thread.Message ID: @.***>

[scw]

PySpark 3.4.1 is included in the Pro 3.2 installers now released. If you are on an older version of Pro and need this component removed, it can safely be removed without affecting any core deep learning workflows.