You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@storm.apache.org by "Adarsh Shukla (Jira)" <ji...@apache.org> on 2022/04/01 08:58:00 UTC
[jira] [Created] (STORM-3840) log4j vulnerability
Adarsh Shukla created STORM-3840:
------------------------------------
Summary: log4j vulnerability
Key: STORM-3840
URL: https://issues.apache.org/jira/browse/STORM-3840
Project: Apache Storm
Issue Type: Requirement
Affects Versions: 2.3.0
Reporter: Adarsh Shukla
Hi Team,
When we ran our vulnerability scanner we found following components has log4j vulnerability
lib/jetty-servlets-9.4.14.v20181114.jar
lib/kafka-clients-0.11.0.3.jar
lib-tools/sql/core/protobuf-java-3.1.0.jar
lib-tools/sql/runtime/calcite-core-1.14.0.jar
lib-tools/sql/runtime/guava-16.0.1.jar
lib-tools/sql/runtime/guava-16.0.1.jar
lib-webapp/dropwizard-validation-1.3.5.jar
lib-webapp/dropwizard-validation-1.3.5.jar
lib-webapp/hibernate-validator-5.4.2.Final.jar
lib-webapp/hibernate-validator-6.0.17.Final.jar
lib-webapp/hibernate-validator-6.0.17.Final.jar
lib-webapp/jakarta.el-3.0.2.jar
Required versions to resolve vulnerabilities :
jetty-servlets > 9.4.41.v20210516
kafka-clients > 2.1.1
protobuf-java > 3.4.0
calcite-core > 1.26.0
guava > 30.0
dropwizard-validation > 1.3.21
hibernate-validator > 6.0.20
jakartha-el > 3.0.4
is there any procedure to follow to resolve this vulnerability issue while changing the required libraries in the given storm version? or Apache Storm team is planning to release a new version of Storm which handles the vulnerability issues?
Kindly let is know your feedback so that we can either upgrade the given packages under the current version of storm we have or we download the newer version of storm which implicitly handles this issue.
Thanks in advance
Regards,
Adarsh
--
This message was sent by Atlassian Jira
(v8.20.1#820001)