Updating log4j1.2 to log4j2 present in lib hadoop-mapreduce-client-core

Question

I need to exclude log4j1.2 dependency from hadoop-mapreduce-client-core lib and explicitly include log4j2 version in my pom but there is no upgraded version available for the below and log4j2 is backward incompatible with 3.3.0 version

<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-mapreduce-client-core</artifactId>
<version>3.3.0</version>

Please suggest if we have any workaround

Answer 1

This is mostly a rehash of this post. I'm not marking as duplicate because it has a hadoop spin.

You can't arbitrarily upgrade a log4j file and hope it fixes things. Here's the prescribed way to remove the vulnerability:

While not affected by the exact same Log4Shell issue, the Apache Log4j team recommends to remove JMSAppender and SocketServer, which has a vulnerability in CVE-2019-17571, from your JAR files.

You can use the zip command to remove the affected classes. Replace the filename/version with yours:

    zip -d log4j-1.2.16.jar org/apache/log4j/net/JMSAppender.class 
    zip -d log4j-1.2.16.jar org/apache/log4j/net/SocketServer.class

You can look through through the files in your zip using less and grep, e.g. less log4j-1.2.16.jar | grep JMSAppender

I hope it's obvious that you would just change the specific version from log4j-1.2.16.jar to log4j-[your version].jar.

If you don't want to do that you'd need to upgrade log4j2 in hadoop core and build a version from that. (@OneCricketeer thanks for the correction)