You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@storm.apache.org by Carmen Molatch <cm...@comcast.net> on 2022/01/11 20:41:17 UTC

How to address log4j vulnerability in Storm 1.2.2

Hello

We have Storm 1.2.2.  Do I need to upgrade to a later version or can I replace the log4j* files (2.8.2) with the latest 2.17.1 files?  Is that advisable or should it be avoided?

Thank you

Carmen

Re: How to address log4j vulnerability in Storm 1.2.2

Posted by Rui Abreu <ru...@gmail.com>.

Hi Carmen,

I haven't tested that solution myself yet, but in theory it could work. You
can try that in a dev machine. Try to replace the log4j JARs shipped with
your version of storm with the latest one and try to spot any runtime
errors.

On Tue, Jan 11, 2022, 23:28 Carmen Molatch <cm...@comcast.net> wrote:

> Hello Rui.  Thanks for your response.  I implemented the change
> recommended in your link several weeks ago, however, the company is asking
> to upgrade the log4j* files to 2.17.1.  So, can I simply replace the 2.8.2
> log4j* files in Storm 1.2.2. or do I upgrade.  I checked the latest storm
> release and it doesn’t have the updated 2.17.1 log4j* files yet.
>
> Thanks
>
> Carmen
>
> > On Jan 11, 2022, at 1:41 PM, Carmen Molatch <cm...@comcast.net>
> wrote:
> >
> > Hello
> >
> > We have Storm 1.2.2.  Do I need to upgrade to a later version or can I
> replace the log4j* files (2.8.2) with the latest 2.17.1 files?  Is that
> advisable or should it be avoided?
> >
> > Thank you
> >
> > Carmen
>
>

Re: How to address log4j vulnerability in Storm 1.2.2

Posted by Carmen Molatch <cm...@comcast.net>.

Hello Rui.  Thanks for your response.  I implemented the change recommended in your link several weeks ago, however, the company is asking to upgrade the log4j* files to 2.17.1.  So, can I simply replace the 2.8.2 log4j* files in Storm 1.2.2. or do I upgrade.  I checked the latest storm release and it doesn’t have the updated 2.17.1 log4j* files yet.

Thanks

Carmen

> On Jan 11, 2022, at 1:41 PM, Carmen Molatch <cm...@comcast.net> wrote:
> 
> Hello
> 
> We have Storm 1.2.2.  Do I need to upgrade to a later version or can I replace the log4j* files (2.8.2) with the latest 2.17.1 files?  Is that advisable or should it be avoided?
> 
> Thank you
> 
> Carmen

Re: How to address log4j vulnerability in Storm 1.2.2

Posted by Rui Abreu <ru...@gmail.com>.

You can follow the instructions
<https://logging.apache.org/log4j/2.x/security.html> from the Apache Log4j
project and just remove the JndiLookup class from the classpath:

   -  zip -q -d log4j-core-*.jar
   org/apache/logging/log4j/core/lookup/JndiLookup.class


On Tue, 11 Jan 2022 at 20:42, Carmen Molatch <cm...@comcast.net> wrote:

> Hello
>
> We have Storm 1.2.2.  Do I need to upgrade to a later version or can I
> replace the log4j* files (2.8.2) with the latest 2.17.1 files?  Is that
> advisable or should it be avoided?
>
> Thank you
>
> Carmen