updated log4j library to reload4j in order to address vulnerabilities

[occhioni-esteco]

updated log4j library to reload4j in order to address CVE-2022-23305 CVE-2022-23302 CVE-2021-4104 CVE-2019-17571

[michalkurka]

Thank you for the suggestion @occhioni-esteco

[michalkurka]

FIY: we currently do not use log4j 1.x in any of out standalone builds, we only use it for Hadoop builds and SW builds - both Hadoop and Spark come with log4j

Even if we switched to the suggested library it won't affect security of the application since Hadoop/Spark will have original log4j on classpath

[occhioni-esteco]

Thanks @michalkurka for looking into this.

You're right, probably the fix will not affect the standalone builds. The purpose of the fix is mainly focused to fix the transitive dependency of log4j 1.x for that codebases using h2o-core as an external dependency. Right now h2o-core depends on h2o-logging-impl-classic which depends on log4j 1.2.17.

If this fix will not be applied we can assume that external projects that wants to be "vulnerability safe" having h2o-core as dependency will have to exclude the log4j transitive dependency and inject the reload4j module in the classpath.

Let me know what you think about it.

Thanks

[occhioni-esteco]

Any updates on this topic?

[michalkurka]

@occhioni-esteco no updates yet - we are currently not investigating this option