In the Google Cloud Console, clusters that I recently created by the standard script e.g.
hailctl dataproc start [name] --region [region]
are showing up as using an image that has log4j vulnerabilities. Is there any way to fix this?
1 Like
EDIT: Hail 0.2.80 is now available, please install that to avoid this issue.
Hey @heesuallykim ,
We’ll be releasing a new hailctl version shortly.
If you absolutely need to fix this now, you can edit the IMAGE_VERSION variable in the hailtop/hailctl/dataproc/start.py file in your installation of Hail. For example, my Hail is installed in /Users/dking/miniconda3/lib/python3.7/site-packages:
# pip3 show hail
Name: hail
Version: 0.2.79
Summary: Scalable library for exploring and analyzing genomic data.
Home-page: https://hail.is
Author: Hail Team
Author-email: hail@broadinstitute.org
License: UNKNOWN
Location: /Users/dking/miniconda3/lib/python3.7/site-packages
Requires: google-cloud-storage, python-json-logger, nest-asyncio, hurry.filesize, requests, azure-identity, bokeh, numpy, pandas, tqdm, azure-storage-blob, humanize, dill, gcsfs, parsimonious, boto3, google-auth, janus, asyncinit, scipy, aiohttp-session, tabulate, sortedcontainers, orjson, decorator, fsspec, botocore, pyspark, avro, Deprecated, aiohttp, PyJWT
Required-by: benchmark-hail
So I can modify
/Users/dking/miniconda3/lib/python3.7/site-packages/hailtop/hailctl/dataproc/start.py
Replacing
IMAGE_VERSION = '2.0.22-debian10'
with
IMAGE_VERSION = '2.0.25-debian10'
1 Like
Hail 0.2.80 is now available and addresses the aforementioned log4j vulnerability. We continue to monitor the log4j situation and will release another version of Hail if necessary.
We’ve released 0.2.81 which addresses the latest round of log4j vulnerabilities.