Log4j vulnerability in dataproc - how to update?

In the Google Cloud Console, clusters that I recently created by the standard script e.g.

hailctl dataproc start [name] --region [region]

are showing up as using an image that has log4j vulnerabilities. Is there any way to fix this?

1 Like

EDIT: Hail 0.2.80 is now available, please install that to avoid this issue.

Hey @heesuallykim ,

We’ll be releasing a new hailctl version shortly.

If you absolutely need to fix this now, you can edit the IMAGE_VERSION variable in the hailtop/hailctl/dataproc/start.py file in your installation of Hail. For example, my Hail is installed in /Users/dking/miniconda3/lib/python3.7/site-packages:

# pip3 show hail
Name: hail
Version: 0.2.79
Summary: Scalable library for exploring and analyzing genomic data.
Home-page: https://hail.is
Author: Hail Team
Author-email: hail@broadinstitute.org
License: UNKNOWN
Location: /Users/dking/miniconda3/lib/python3.7/site-packages
Requires: google-cloud-storage, python-json-logger, nest-asyncio, hurry.filesize, requests, azure-identity, bokeh, numpy, pandas, tqdm, azure-storage-blob, humanize, dill, gcsfs, parsimonious, boto3, google-auth, janus, asyncinit, scipy, aiohttp-session, tabulate, sortedcontainers, orjson, decorator, fsspec, botocore, pyspark, avro, Deprecated, aiohttp, PyJWT
Required-by: benchmark-hail

So I can modify



IMAGE_VERSION = '2.0.22-debian10'


IMAGE_VERSION = '2.0.25-debian10'
1 Like

Hail 0.2.80 is now available and addresses the aforementioned log4j vulnerability. We continue to monitor the log4j situation and will release another version of Hail if necessary.

We’ve released 0.2.81 which addresses the latest round of log4j vulnerabilities.