powered by Jive Software

Log4j vulnerability

Hello,

as the Spark client is also a java based application we’re wondering if the client is (as the openfire server) affected by this log4j security issue.

https://logging.apache.org/log4j/2.x/security.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Best regards

Spark should be unaffected by this problem.

Spark itself does not use the Log4j framework for logging (instead, it uses Java Util Logging). There are some libraries that pull in Log4j as a dependency, but those are a) unlikely to be used, and b) (very) old versions of log4j that do not have this vulnerability.

1 Like

I can see here that Spark does use log4j v1.2.17., which has already reached the end of life!

This is not the same Spark!
Here is the correct link https://github.com/igniterealtime/Spark

2 Likes

As @ilyaHlevnoy said: the Apache Spark project and our Spark XMPP client project are two completely unrelated projects.

In our defense: we used the name first. :wink:

2 Likes

I apologize for the confusion!