log4j critical Fix in Apache Storm 2.1.0 or 2.1.x - Any Plan ?

[sagar chandak <ch...@gmail.com>]

Hi Team,

As per suggestion provided earlier of removing JndiLookup.class from storm
lib, we have already incorporated it.
We want to move to permanent fix for log4j vulnerability and we have the
question below for it where we need community help/suggestions.



1.
I can see ongoing discussion for incorporating the 2.17.x log4j version in
the latest version of storm ((STORM-3810) and PR (3427)).
We are using Storm 2.1.0, any comments if there will be any release for
2.1.x version for log4j fix or only option is to upgrade to the latest
stable release of storm having log4j latest jar fix incorporated.


2.
If we continue to use storm 2.1.0, and if we replace log4j-core-2.11.2.jar with
the latest log4-core-2.17.1.jar in the storm library, what kind of issues
can we anticipate?
Also is this approach feasible and advisible
-- 
*Thanks and Regards*
*  Sagar B. Chandak*