Uploaded image for project: 'Apache Storm'
  1. Apache Storm
  2. STORM-3814

storm-core: Remediate log4j critical vulnerabilities -> 2.16.0 or newer, prefer 2.17.1

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Duplicate
    • 1.2.3, 2.3.0
    • None
    • storm-core
    • None

    Description

       

      In order to remediate these bugs with Log4j, please update Storm 2.3.0 and 1.2.3 

      • Criticals
        • Fixed in Log4j 2.16.0 (Java 8) and Log4j 2.12.2 (Java 7)
          • CVE-2021-45046: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations
        • Fixed in Log4j 2.15.0 (Java 8)
          • CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
      • Moderates
        • Fixed in Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6)
          • CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
        • Fixed in Log4j 2.17.0 (Java 8), 2.12.3 (Java 7) and 2.3.1 (Java 6)
          • CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation

       

      Attachments

        Issue Links

          Blocked

          Bug - A problem which impairs or prevents the functions of the product. STORM-3810 CVE-2021-44228 Log4J vulnerability

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              Unassigned Unassigned
              sfdcfranco Franco Luong
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: