cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

CVE-2021-44228

herry
New Contributor III

โ€Ž12-11-2021 11:45 AM

Hi,

Any affect of CVE-2021-44228 problem on Databricks platform?

Is there any action that needs to be done by Databricks customer related to CVE-2021-44228?

6 REPLIES 6

Hubert-Dudek
Esteemed Contributor III

โ€Ž12-11-2021 11:55 AM

Databricks is still on log4j 1. That alert is related to log4j 2.

0 Kudos

-werners-
Esteemed Contributor III

โ€Ž12-13-2021 12:08 AM

It depends.

The vulnerability in question is CVE-2021-44228.

Log4j 2.0-beta9 to 2.14.1 are vulnerable. With version 2.15.0 the issue is resolved.

So it depends on the version of Log4j you are running.

You can set 'log4j2.formatMsgNoLookups' to 'true' by addubg โ€Dlog4j2.formatMsgNoLookups=Trueโ€ to the cluster startup params.

I do not know the log4j versions per databricks version.

Maybe someone from databricks can tell us which versions are impacted.

0 Kudos

Kencorp
New Contributor II

โ€Ž12-13-2021 12:39 AM

How can I know which version I have?

0 Kudos

-werners-
Esteemed Contributor III
In response to Kencorp

โ€Ž12-13-2021 12:50 AM

on the databricks docs you get an overview of the installed version by databricks-version:

https://docs.databricks.com/release-notes/runtime/releases.html

Select the release you use and then search for 'log4j'.

Of course that is no guarantee, because you can submit your own fat jars with another log4j version included.

If you do not do that, that is not an issue ofc.

0 Kudos

Kencorp
New Contributor II
In response to -werners-

โ€Ž12-13-2021 01:02 AM

Thank you very much

0 Kudos

Hubert-Dudek
Esteemed Contributor III

โ€Ž12-13-2021 03:48 AM

On most databricks distributions log4j version is 1.2.17

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements