Where can I check for information on dataproc image version 1.5.54 and verify that it is not vulnerable to the log4j RCE? In the dataproc release notes, 1.5.53 is listed as the latest release from December.
When launching dataproc clusters with image version 1.5-ubuntu18 which automatically picks the latest 1.5.x image, we noticed that dataproc was using images with subminor version 1.5.54-ubuntu18 when we were expecting 1.5.53 as per the release page. The web console also has a warning message for all 1.5.54 dataproc cluster that this version is vulnerable to log4j exploit and that we should be using a newer image.
The release notes for 1.4.78, 1.5.54 and 2.0.28 have just been published 1. The images come with log4j 2.17.0, which doesn't have the vulnerability.
The warning message is a false signal, the Dataproc team is working to remove it. Sorry for the confusion!