https://community.databricks.com/t5/data-engineering/cve-2021-44228/m-p/33358#M24366 <P>on the databricks docs you get an overview of the installed version by databricks-version:</P><P><A href="https://docs.databricks.com/release-notes/runtime/releases.html" target="test_blank">https://docs.databricks.com/release-notes/runtime/releases.html</A></P><P>Select the release you use and then search for 'log4j'.</P><P>Of course that is no guarantee, because you can submit your own fat jars with another log4j version included.</P><P>If you do not do that, that is not an issue ofc.</P> Mon, 13 Dec 2021 08:50:32 GMT -werners- 2021-12-13T08:50:32Z https://community.databricks.com/t5/data-engineering/cve-2021-44228/m-p/33354#M24362 <P>Hi,</P><P></P><P>Any affect of CVE-2021-44228 problem on Databricks platform?</P><P></P><P>Is there any action that needs to be done by Databricks customer related to CVE-2021-44228?</P> Sat, 11 Dec 2021 19:45:00 GMT https://community.databricks.com/t5/data-engineering/cve-2021-44228/m-p/33354#M24362 herry 2021-12-11T19:45:00Z https://community.databricks.com/t5/data-engineering/cve-2021-44228/m-p/33355#M24363 <P>Databricks is still on log4j 1. That alert is related to log4j 2.</P> Sat, 11 Dec 2021 19:55:41 GMT https://community.databricks.com/t5/data-engineering/cve-2021-44228/m-p/33355#M24363 Hubert-Dudek 2021-12-11T19:55:41Z https://community.databricks.com/t5/data-engineering/cve-2021-44228/m-p/33356#M24364 <P>It depends.</P><P>The vulnerability in question is <A href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228" alt="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228" target="_blank">CVE-2021-44228</A>.</P><P>Log4j 2.0-beta9 to 2.14.1 are vulnerable. With version 2.15.0 the issue is resolved.</P><P>So it depends on the version of Log4j you are running.</P><P>You can set 'log4j2.formatMsgNoLookups' to 'true' by addubg ‐Dlog4j2.formatMsgNoLookups=True” to the cluster startup params.</P><P></P><P>I do not know the log4j versions per databricks version.</P><P>Maybe someone from databricks can tell us which versions are impacted.</P> Mon, 13 Dec 2021 08:08:01 GMT https://community.databricks.com/t5/data-engineering/cve-2021-44228/m-p/33356#M24364 -werners- 2021-12-13T08:08:01Z https://community.databricks.com/t5/data-engineering/cve-2021-44228/m-p/33357#M24365 <P>How can I know which version I have?</P> Mon, 13 Dec 2021 08:39:28 GMT https://community.databricks.com/t5/data-engineering/cve-2021-44228/m-p/33357#M24365 Kencorp 2021-12-13T08:39:28Z https://community.databricks.com/t5/data-engineering/cve-2021-44228/m-p/33358#M24366 <P>on the databricks docs you get an overview of the installed version by databricks-version:</P><P><A href="https://docs.databricks.com/release-notes/runtime/releases.html" target="test_blank">https://docs.databricks.com/release-notes/runtime/releases.html</A></P><P>Select the release you use and then search for 'log4j'.</P><P>Of course that is no guarantee, because you can submit your own fat jars with another log4j version included.</P><P>If you do not do that, that is not an issue ofc.</P> Mon, 13 Dec 2021 08:50:32 GMT https://community.databricks.com/t5/data-engineering/cve-2021-44228/m-p/33358#M24366 -werners- 2021-12-13T08:50:32Z https://community.databricks.com/t5/data-engineering/cve-2021-44228/m-p/33359#M24367 <P>Thank you very much</P> Mon, 13 Dec 2021 09:02:38 GMT https://community.databricks.com/t5/data-engineering/cve-2021-44228/m-p/33359#M24367 Kencorp 2021-12-13T09:02:38Z https://community.databricks.com/t5/data-engineering/cve-2021-44228/m-p/33360#M24368 <P>On most databricks distributions log4j version is 1.2.17</P> Mon, 13 Dec 2021 11:48:38 GMT https://community.databricks.com/t5/data-engineering/cve-2021-44228/m-p/33360#M24368 Hubert-Dudek 2021-12-13T11:48:38Z