Hi Pulkit, Hadoop does not use those log4j network classes unless the user and the administrator configured the setting explicitly. The issue is tracked by [HADOOP-16206] Migrate from Log4j1 to Log4j2 - ASF JIRA (apache.org) <https://issues.apache.org/jira/browse/HADOOP-16206>
Thanks, Akira On Tue, Sep 14, 2021 at 10:33 PM Pulkit Chawla <[email protected]> wrote: > Hi, > > > > Hadoop uses log4j1 even in latest versions. I am concerned about the > log4j1 vulnerabilities related to network listening. > > > > Wanted to know the risk for keep using log4j1 in Hadoop. > > Does it uses those log4j network classes? If no, can we completely remove > it? If yes, how can we lessen the risk? Does creating a secure Kerberos > network prevents those vulnerabilities ? > > > > Can anyone guide me? > > > > > > > > Thanks, > > Pulkit >
