A vulnerability of log4j became public.
Amongst other packages, I am using R shiny and h2o packages.
I already found out, that shiny is not affected by the vulnerability, since it uses log4js(see https://github.com/log4js-node/log4js-node/issues/1105), which is an implementation in Javascript.
Now we come to h2o. I know that this package provides an API to the h2o-framework in Java. In the documentation of building h2o from source from github (see https://h2o-release.s3.amazonaws.com/h2o/rel-noether/4/docs-website/developuser/quickstart_git.html), i found along the lines
javac -source 1.6 -target 1.6 -sourcepath src/main/java -classpath
"../lib/log4j/log4j-1.2.15.jar:../target/h2o.jar:../lib/hadoop/mapr2.1.3/hadoop-0.20.2-dev-core.jar"
-d classes/mapr2.1.3 src/main/java/water/hadoop/*.java
warning: [options] bootstrap class path not set in conjunction with -source 1.6
1 warning
jar cf target/h2odriver_mapr2.1.3.jar -C classes/mapr2.1.3 .
make build_inner HADOOP_VERSION=cdh3
mkdir classes/cdh3
javac -source 1.6 -target 1.6 -sourcepath src/main/java -classpath
"../lib/log4j/log4j-1.2.15.jar:../target/h2o.jar:../lib/hadoop/cdh3/hadoop-core-0.20.2-cdh3u6.jar" -d
classes/cdh3 src/main/java/water/hadoop/*.java
warning: [options] bootstrap class path not set in conjunction with -source 1.6
1 warning
jar cf target/h2odriver_cdh3.jar -C classes/cdh3 .
make build_inner HADOOP_VERSION=cdh4
mkdir classes/cdh4
javac -source 1.6 -target 1.6 -sourcepath src/main/java -classpath
"../lib/log4j/log4j-1.2.15.jar:../target/h2o.jar:../lib/hadoop/cdh4/hadoop-common.jar:../
It seems like h2o is using log4j, but I don't know much about Java and its dependencies.
Can anyone with more knowledge clearify whether the h2o-package is affected by the log4j vulnerability? And if so, how to solve or workaround this?
Thank you very much in advance.
