Expedition, up to version 1.2.3, was making use of Log4j. This package has captured attention in the latest days related to the vulnerability CVE-2021-44228 that would allow code execution on the affected machines with a risk 10 of 10.
The vulnerability could be exploited making use of the lookup mechanissm that was introduced in version 2.
Expedition, via its modules for Spark, used Log4j version 1.2.17 which does not include the lookup mechanism and therefore is exempt to the issue. Expedition only used Log4j to write executing log information with predefined messages in the code (to provide information about the execution state) and some parquet data samples when set in Debug mode.
Currently, the Apache Spark team is working on including Log4j 2.16.0 into the core modules of the project. Not because version 1.2.17 is vulnerable to the current threats, but because that version, even useful, got already lots of improvements and it is time to get it upgraded.
Due to the simplicity of the logic used in Log4j and to reduce any concerns on Expedition users, we have decided to stop using Log4j and wait until Apache Spark team includes a newer version into the solution.
We take security very seriously, and also we care a lot about the user experience when using the tool and when not using it. So, now you can sit back and rest, knowing that, if Expedition 1.2.3 was not vulnerable before using Log4j 1.2.17, it is for sure not vulnerable on Expedition 18.104.22.168, when Log4j has been removed.
The Expedition Team