Databricks Community

herry · ‎12-11-2021

Hi,

Any affect of CVE-2021-44228 problem on Databricks platform?

Is there any action that needs to be done by Databricks customer related to CVE-2021-44228?

Hubert-Dudek · ‎12-11-2021

Databricks is still on log4j 1. That alert is related to log4j 2.

-werners- · ‎12-13-2021

It depends.

The vulnerability in question is CVE-2021-44228.

Log4j 2.0-beta9 to 2.14.1 are vulnerable. With version 2.15.0 the issue is resolved.

So it depends on the version of Log4j you are running.

You can set 'log4j2.formatMsgNoLookups' to 'true' by addubg ‐Dlog4j2.formatMsgNoLookups=True” to the cluster startup params.

I do not know the log4j versions per databricks version.

Maybe someone from databricks can tell us which versions are impacted.

Kencorp · ‎12-13-2021

How can I know which version I have?

-werners- · ‎12-13-2021

on the databricks docs you get an overview of the installed version by databricks-version:

Select the release you use and then search for 'log4j'.

Of course that is no guarantee, because you can submit your own fat jars with another log4j version included.

If you do not do that, that is not an issue ofc.

Kencorp · ‎12-13-2021

Thank you very much

Hubert-Dudek · ‎12-13-2021

On most databricks distributions log4j version is 1.2.17

CVE-2021-44228