https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33372#M24378 <P>Okay I reckon we should be safe then</P><P></P> Mon, 13 Dec 2021 13:05:18 GMT Loki 2021-12-13T13:05:18Z https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33365#M24371 <P>Hi Community, </P><P></P><P>We got an email from our IT Team regarding Apache Log4J Vulnerability. </P><P></P><P>Just wanted to understand if our implementation will be affected by this or not. </P><P></P><P>We are using the following library or package in our notebooks</P><P></P><PRE><CODE>import org.apache.log4j.Logger</CODE></PRE><P></P><P>Thanks</P><P>Lokesh</P><P></P> Mon, 13 Dec 2021 06:31:27 GMT https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33365#M24371 Loki 2021-12-13T06:31:27Z https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33366#M24372 <P>It depends.</P><P>The vulnerability in question is <A href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228" alt="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228" target="_blank">CVE-2021-44228</A>.</P><P>Log4j 2.0-beta9 to 2.14.1 are vulnerable. With version 2.15.0 the issue is resolved.</P><P>So it depends on the version of Log4j you are running.</P><P>You can set 'log4j2.formatMsgNoLookups' to 'true' by addubg ‐Dlog4j2.formatMsgNoLookups=True” to the cluster startup params.</P><P></P><P>I do not know the log4j versions per databricks version.</P><P>Maybe someone from databricks can tell us which versions are impacted.</P> Mon, 13 Dec 2021 08:06:29 GMT https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33366#M24372 -werners- 2021-12-13T08:06:29Z https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33367#M24373 <P>Hi @Lokesh Sharma​&nbsp;, Thank you for reaching out. As you are aware, there has been a <A href="https://www.lunasec.io/docs/blog/log4j-zero-day/" alt="https://www.lunasec.io/docs/blog/log4j-zero-day/" target="_blank"><U>0-day discovery</U></A> in Log4j2, the Java Logging library, that could result in Remote Code Execution (RCE) if an affected version of log4j (2.0 &lt;= log4j &lt;= 2.14.1)&nbsp; logs an attacker-controlled string value without proper validation. Please see more details on <A href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228" alt="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228" target="_blank"><U>CVE-2021-44228</U></A>.</P><P></P><P>Databricks does not directly use a version of log4j known to be affected by the vulnerability within the Databricks platform in a way we understand may be vulnerable to this CVE (e.g., to log user-controlled strings). We have investigated the transitive use of log4j and have not found any evidence of vulnerable usage so far.&nbsp;</P><P></P><P>However, depending on the way you are using log4j within your Databricks dataplane cluster (e.g., if you are processing user-controlled strings though log4j), your use may be potentially vulnerable to the exploit if you have installed and are using an affected version or have installed services that transitively depend on an affected version.&nbsp;</P><P></P><P>If you determine that you have done so, we advise to stop using an affected version of log4j until you upgrade to log4j version 2.15.x or reconfigure any affected service with the <A href="https://www.lunasec.io/docs/blog/log4j-zero-day/#temporary-mitigation" alt="https://www.lunasec.io/docs/blog/log4j-zero-day/#temporary-mitigation" target="_blank"><U>known temporary mitigation</U></A> implemented (log4j2.formatMsgNoLookups set to true). Please restart the cluster once you have added the mitigation.</P><P></P><P>The steps to do so are:</P><OL><LI>Edit the cluster and job with the spark conf “spark.driver.extraJavaOptions” and “spark.executor.extraJavaOptions” set to "-Dlog4j2.formatMsgNoLookups=true"<span class="lia-inline-image-display-wrapper" image-alt="Untitled"><img src="https://community.databricks.com/t5/image/serverpage/image-id/2221iA994482666D1DA01/image-size/large?v=v2&amp;px=999" role="button" title="Untitled" alt="Untitled" /></span></LI><LI>Confirm edit to restart the cluster, or simply trigger a new job run which will use the updated java options.</LI><LI>You can confirm that these settings have taken effect in the “Spark UI” tab, under “Environment”<span class="lia-inline-image-display-wrapper" image-alt="Untitled (1)"><img src="https://community.databricks.com/t5/image/serverpage/image-id/2230iB3FBEB4BB4DBD063/image-size/large?v=v2&amp;px=999" role="button" title="Untitled (1)" alt="Untitled (1)" /></span></LI></OL><P></P><P>We are continuing to investigate whether the Databricks platform may be vulnerable to this security issue and will provide a proactive notification if we determine that you may have been impacted or need to take any further steps.</P> Mon, 13 Dec 2021 09:46:56 GMT https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33367#M24373 Prabakar 2021-12-13T09:46:56Z https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33368#M24374 <P>Thanks, Prabakar for getting back to us and for the detailed action steps that need to be followed. </P><P></P><P>Would you be able to provide an example of "&nbsp;user-controlled strings"</P> Mon, 13 Dec 2021 10:49:43 GMT https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33368#M24374 Loki 2021-12-13T10:49:43Z https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33369#M24375 <P>That can by anything tbh. F.e. you run a fat jar with an impacted log4j version.</P><P></P><P>But if you only use the logging provided by Databricks I think you are safe.</P> Mon, 13 Dec 2021 10:53:22 GMT https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33369#M24375 -werners- 2021-12-13T10:53:22Z https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33370#M24376 <P>Thanks werners</P> Mon, 13 Dec 2021 10:55:17 GMT https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33370#M24376 Loki 2021-12-13T10:55:17Z https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33371#M24377 <P>On most databricks distributions log4j version is 1.2.17</P> Mon, 13 Dec 2021 11:48:58 GMT https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33371#M24377 Hubert-Dudek 2021-12-13T11:48:58Z https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33372#M24378 <P>Okay I reckon we should be safe then</P><P></P> Mon, 13 Dec 2021 13:05:18 GMT https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33372#M24378 Loki 2021-12-13T13:05:18Z https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33373#M24379 <P>Is log4j 1.2.17 depreciated? Am I wrong?</P> Mon, 13 Dec 2021 14:19:07 GMT https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33373#M24379 gmt 2021-12-13T14:19:07Z https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33374#M24380 <P>Is the reason that log4j version 1.2.17 is not vulnerable, because it was not a feature (lookups) before version 2.0?</P><P></P> Mon, 13 Dec 2021 20:55:47 GMT https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33374#M24380 Anonymous 2021-12-13T20:55:47Z https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33376#M24382 <P>That is correct. The culprit (lookup feature) is not present in version 1.x</P> Tue, 14 Dec 2021 07:34:28 GMT https://community.databricks.com/t5/data-engineering/apache-log4j-vulnerability/m-p/33376#M24382 -werners- 2021-12-14T07:34:28Z