Uploaded image for project: 'Apache Storm'
  1. Apache Storm
  2. STORM-3809

CVE-2021-44228 Log4Shell: upgrade log4j2

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Duplicate
    • 2.3.0, 2.2.1
    • None
    • storm-core
    • None
    • Important

    Description

      Recent critical CVE about log4shell (https://www.cvedetails.com/cve/CVE-2021-44228/) affects Storm. (Eg: in Storm 2.2.0, it uses log4j-api-2.11.2.jar) Any log4j2 between 2.0 and 2.14 is affected.

       

      I did not found any issue or news related to Apache Storm and a fix. So I create this ticket to track it down.

      Please upgrade to latest Log4j2 >= 2.16.0 (see https://search.maven.org/artifact/org.apache.logging.log4j/log4j/2.16.0/pom) in both 2.2.X and 2.3.X Storm branches. Thank you!

       

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. STORM-3810 CVE-2021-44228 Log4J vulnerability

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              Unassigned Unassigned
              antoine.tran Antoine Tran
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: