Uploaded image for project: 'Apache Storm'
  1. Apache Storm
  2. STORM-3840

log4j vulnerability

    XMLWordPrintableJSON

Details

    • Requirement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.3.0
    • 2.6.0
    • None
    • None

    Description

      Hi Team,

       

      When we ran our vulnerability scanner we found following components has log4j vulnerability

      lib/jetty-servlets-9.4.14.v20181114.jar
      lib/kafka-clients-0.11.0.3.jar
      lib-tools/sql/core/protobuf-java-3.1.0.jar
      lib-tools/sql/runtime/calcite-core-1.14.0.jar
      lib-tools/sql/runtime/guava-16.0.1.jar
      lib-tools/sql/runtime/guava-16.0.1.jar
      lib-webapp/dropwizard-validation-1.3.5.jar
      lib-webapp/dropwizard-validation-1.3.5.jar
      lib-webapp/hibernate-validator-5.4.2.Final.jar
      lib-webapp/hibernate-validator-6.0.17.Final.jar
      lib-webapp/hibernate-validator-6.0.17.Final.jar
      lib-webapp/jakarta.el-3.0.2.jar

       

      Required versions to resolve vulnerabilities :

       

      jetty-servlets > 9.4.41.v20210516
      kafka-clients > 2.1.1
      protobuf-java > 3.4.0
      calcite-core > 1.26.0
      guava > 30.0
      dropwizard-validation > 1.3.21
      hibernate-validator > 6.0.20
      jakartha-el > 3.0.4

       

      is there any procedure to follow to resolve this vulnerability issue while changing the required libraries in the given storm version? or Apache Storm team is planning to release a new version of Storm which handles the vulnerability issues?

       

      Kindly let is know your feedback so that we can either upgrade the given packages under the current version of storm we have or we download the newer version of storm which implicitly handles this issue.

       

      Thanks in advance

       

      Regards,

      Adarsh

      Attachments

        Activity

          People

            Unassigned Unassigned
            ashukl24 Adarsh Shukla
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: