Share via

Azure DataBricks and Log4j

Stephen Atherton 26 Reputation points
2021-12-15T05:49:00.963+00:00

With the recently discovered venerability found in log4j, does this impact Azure Data Bricks, Azure Data Factory, Azure Purview?
If so, what are the steps to mitigate?

Azure Databricks
Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
2,526 questions
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
11,637 questions
Microsoft Security | Microsoft Purview
Accepted answer
  1. PRADEEPCHEEKATLA 90,646 Reputation points Moderator
    2021-12-15T06:06:07.867+00:00

    Hello @Stephen Atherton ,

    Thank you for reaching out.

    With the recently discovered venerability found in log4j, does this impact Azure Data Bricks, Azure Data Factory, Azure Purview?

    Note: Log4j Remote Code Execution vulnerability doesn't impact Azure Data Bricks, Azure Data Factory, Azure Purview.

    Microsoft is aware of active exploitation of a critical Log4j Remote Code Execution vulnerability affecting various industry-wide Apache products. This vulnerability is in the open source Java component Log4J versions 2.0 through 2.14.1 (inclusive) and is documented in Apache CVE-2021-44228.

    Azure Databricks does not directly use a version of log4j known to be affected by the vulnerability within the Databricks platform in a way we understand may be vulnerable to this CVE (e.g., to log user-controlled strings). We have investigated the transitive use of log4j and have not found any evidence of vulnerable usage so far.

    However, depending on the way you are using log4j within your Databricks dataplane cluster (e.g., if you are processing user-controlled strings though log4j), your use may be potentially vulnerable to the exploit if you have installed and are using an affected version or have installed services that transitively depend on an affected version.

    If you determine that you have done so, we advise to stop using an affected version of log4j until you upgrade to log4j version 2.15.x or reconfigure any affected service with the known temporary mitigation implemented (log4j2.formatMsgNoLookups set to true). Please restart the cluster once you have added the mitigation.

    Hope this will help. Please let us know if any further queries.

    ------------------------------

    • Please don't forget to click on 130616-image.png or upvote 130671-image.png button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification
    • If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators
    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.