Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
-
None
Description
log4j v1 is at it's EOL, but due to some implicit package references in maven, some tools/libs is still packaging log4j. All latest releases are all being impacted.
Packages impacted:
- storm-autocreds
- storm-kafka-monitor
It would be good to fix/release this together with log4j v2 recent CVEs, thus vulnerability scan will be clear for log4j vulnerability.
Attachments
Issue Links
- relates to
-
STORM-3811 Upgrade log4j version to 2.17.1
- Resolved