Details
-
Requirement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.3.0
-
None
-
None
Description
Hi Team,
When we ran our vulnerability scanner we found following components has log4j vulnerability
lib/jetty-servlets-9.4.14.v20181114.jar
lib/kafka-clients-0.11.0.3.jar
lib-tools/sql/core/protobuf-java-3.1.0.jar
lib-tools/sql/runtime/calcite-core-1.14.0.jar
lib-tools/sql/runtime/guava-16.0.1.jar
lib-tools/sql/runtime/guava-16.0.1.jar
lib-webapp/dropwizard-validation-1.3.5.jar
lib-webapp/dropwizard-validation-1.3.5.jar
lib-webapp/hibernate-validator-5.4.2.Final.jar
lib-webapp/hibernate-validator-6.0.17.Final.jar
lib-webapp/hibernate-validator-6.0.17.Final.jar
lib-webapp/jakarta.el-3.0.2.jar
Required versions to resolve vulnerabilities :
jetty-servlets > 9.4.41.v20210516
kafka-clients > 2.1.1
protobuf-java > 3.4.0
calcite-core > 1.26.0
guava > 30.0
dropwizard-validation > 1.3.21
hibernate-validator > 6.0.20
jakartha-el > 3.0.4
is there any procedure to follow to resolve this vulnerability issue while changing the required libraries in the given storm version? or Apache Storm team is planning to release a new version of Storm which handles the vulnerability issues?
Kindly let is know your feedback so that we can either upgrade the given packages under the current version of storm we have or we download the newer version of storm which implicitly handles this issue.
Thanks in advance
Regards,
Adarsh