I need to exclude log4j1.2 dependency from hadoop-mapreduce-client-core lib and explicitly include log4j2 version in my pom but there is no upgraded version available for the below and log4j2 is backward incompatible with 3.3.0 version
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-mapreduce-client-core</artifactId>
<version>3.3.0</version>
Please suggest if we have any workaround
This is mostly a rehash of this post. I'm not marking as duplicate because it has a hadoop spin.
You can't arbitrarily upgrade a log4j file and hope it fixes things. Here's the prescribed way to remove the vulnerability:
While not affected by the exact same Log4Shell issue, the Apache Log4j team recommends to remove JMSAppender and SocketServer, which has a vulnerability in CVE-2019-17571, from your JAR files.
You can use the zip command to remove the affected classes. Replace the filename/version with yours:
zip -d log4j-1.2.16.jar org/apache/log4j/net/JMSAppender.class zip -d log4j-1.2.16.jar org/apache/log4j/net/SocketServer.classYou can look through through the files in your zip using less and grep, e.g.
less log4j-1.2.16.jar | grep JMSAppender
I hope it's obvious that you would just change the specific version from log4j-1.2.16.jar to log4j-[your version].jar.
If you don't want to do that you'd need to upgrade log4j2 in hadoop core and build a version from that. (@OneCricketeer thanks for the correction)
