cancel
Showing results forย 
Search instead forย 
Did you mean:ย 
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

Apache Log4J Vulnerability

Loki
New Contributor III

Hi Community,

We got an email from our IT Team regarding Apache Log4J Vulnerability.

Just wanted to understand if our implementation will be affected by this or not.

We are using the following library or package in our notebooks

import org.apache.log4j.Logger

Thanks

Lokesh

10 REPLIES 10

-werners-
Esteemed Contributor III

It depends.

The vulnerability in question is CVE-2021-44228.

Log4j 2.0-beta9 to 2.14.1 are vulnerable. With version 2.15.0 the issue is resolved.

So it depends on the version of Log4j you are running.

You can set 'log4j2.formatMsgNoLookups' to 'true' by addubg โ€Dlog4j2.formatMsgNoLookups=Trueโ€ to the cluster startup params.

I do not know the log4j versions per databricks version.

Maybe someone from databricks can tell us which versions are impacted.

Prabakar
Databricks Employee
Databricks Employee

Hi @Lokesh Sharmaโ€‹ , Thank you for reaching out. As you are aware, there has been a 0-day discovery in Log4j2, the Java Logging library, that could result in Remote Code Execution (RCE) if an affected version of log4j (2.0 <= log4j <= 2.14.1)  logs an attacker-controlled string value without proper validation. Please see more details on CVE-2021-44228.

Databricks does not directly use a version of log4j known to be affected by the vulnerability within the Databricks platform in a way we understand may be vulnerable to this CVE (e.g., to log user-controlled strings). We have investigated the transitive use of log4j and have not found any evidence of vulnerable usage so far. 

However, depending on the way you are using log4j within your Databricks dataplane cluster (e.g., if you are processing user-controlled strings though log4j), your use may be potentially vulnerable to the exploit if you have installed and are using an affected version or have installed services that transitively depend on an affected version. 

If you determine that you have done so, we advise to stop using an affected version of log4j until you upgrade to log4j version 2.15.x or reconfigure any affected service with the known temporary mitigation implemented (log4j2.formatMsgNoLookups set to true). Please restart the cluster once you have added the mitigation.

The steps to do so are:

  1. Edit the cluster and job with the spark conf โ€œspark.driver.extraJavaOptionsโ€ and โ€œspark.executor.extraJavaOptionsโ€ set to "-Dlog4j2.formatMsgNoLookups=true"Untitled
  2. Confirm edit to restart the cluster, or simply trigger a new job run which will use the updated java options.
  3. You can confirm that these settings have taken effect in the โ€œSpark UIโ€ tab, under โ€œEnvironmentโ€Untitled (1)

We are continuing to investigate whether the Databricks platform may be vulnerable to this security issue and will provide a proactive notification if we determine that you may have been impacted or need to take any further steps.

Loki
New Contributor III

Thanks, Prabakar for getting back to us and for the detailed action steps that need to be followed.

Would you be able to provide an example of " user-controlled strings"

-werners-
Esteemed Contributor III

That can by anything tbh. F.e. you run a fat jar with an impacted log4j version.

But if you only use the logging provided by Databricks I think you are safe.

Loki
New Contributor III

Thanks werners

Anonymous
Not applicable

Is the reason that log4j version 1.2.17 is not vulnerable, because it was not a feature (lookups) before version 2.0?

-werners-
Esteemed Contributor III

That is correct. The culprit (lookup feature) is not present in version 1.x

Hubert-Dudek
Esteemed Contributor III

On most databricks distributions log4j version is 1.2.17

Loki
New Contributor III

Okay I reckon we should be safe then

gmt
New Contributor II

Is log4j 1.2.17 depreciated? Am I wrong?

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group