Security Advisory 13th Jan 2022
We are pleased to inform you of the general availability of Matillion ETL v1.59.10. This hotfix release continues our effort to address the log4j security vulnerability issue and ships with 2 versions of log4j:
- Log4j v2.17 - this is a safe version of log4j with no known vulnerabilities.
- sb_slf4j-log4j - this includes a version of log4j 1.x, and is brought in by the Apache Spark JDBC driver used by Matillion ETL for Delta Lake on Databricks. Please note that this instance of log4j is never used by Matillion ETL. Databricks is also in the process of removing it completely from the driver. Once this is done, we will release a new version of Matillion ETL with the driver upgrade.
For those customers who specifically need to make use of JDBC driver logging with the Spark driver, METL 1.59.10 incorporates a non-vulnerable version of log4j (v2.17) and we recommend you upgrade. There is no requirement to upgrade to this version of Matillion ETL if you do not require the Spark driver.
For further assistance, submit a case at the Matillion Support Portal.