You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@storm.apache.org by "PJ Fanning (Jira)" <ji...@apache.org> on 2022/02/05 12:48:00 UTC

[jira] [Commented] (STORM-3812) Storm release packages log4j v1

    [ https://issues.apache.org/jira/browse/STORM-3812?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17487480#comment-17487480 ] 

PJ Fanning commented on STORM-3812:
-----------------------------------

[~1zha0] is this a duplicate of STORM-3811?

> Storm release packages log4j v1
> -------------------------------
>
>                 Key: STORM-3812
>                 URL: https://issues.apache.org/jira/browse/STORM-3812
>             Project: Apache Storm
>          Issue Type: Improvement
>            Reporter: Liang Zhao
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> log4j v1 is at it's EOL, but due to some implicit package references in maven, some tools/libs is still packaging log4j. All latest releases are all being impacted. 
>  
> Packages impacted:
>  * storm-autocreds
>  * storm-kafka-monitor
>  
> It would be good to fix/release this together with log4j v2 recent CVEs, thus vulnerability scan will be clear for log4j vulnerability.
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)