[jira] [Created] (STORM-3840) log4j vulnerability

["Adarsh Shukla (Jira)" <ji...@apache.org>]

Adarsh Shukla created STORM-3840:
------------------------------------

             Summary: log4j vulnerability
                 Key: STORM-3840
                 URL: https://issues.apache.org/jira/browse/STORM-3840
             Project: Apache Storm
          Issue Type: Requirement
    Affects Versions: 2.3.0
            Reporter: Adarsh Shukla


Hi Team,

 

When we ran our vulnerability scanner we found following components has log4j vulnerability

lib/jetty-servlets-9.4.14.v20181114.jar
lib/kafka-clients-0.11.0.3.jar
lib-tools/sql/core/protobuf-java-3.1.0.jar
lib-tools/sql/runtime/calcite-core-1.14.0.jar
lib-tools/sql/runtime/guava-16.0.1.jar
lib-tools/sql/runtime/guava-16.0.1.jar
lib-webapp/dropwizard-validation-1.3.5.jar
lib-webapp/dropwizard-validation-1.3.5.jar
lib-webapp/hibernate-validator-5.4.2.Final.jar
lib-webapp/hibernate-validator-6.0.17.Final.jar
lib-webapp/hibernate-validator-6.0.17.Final.jar
lib-webapp/jakarta.el-3.0.2.jar

 

Required versions to resolve vulnerabilities :

 

jetty-servlets > 9.4.41.v20210516
kafka-clients > 2.1.1
protobuf-java > 3.4.0
calcite-core > 1.26.0
guava > 30.0
dropwizard-validation > 1.3.21
hibernate-validator > 6.0.20
jakartha-el > 3.0.4

 

is there any procedure to follow to resolve this vulnerability issue while changing the required libraries in the given storm version? or Apache Storm team is planning to release a new version of Storm which handles the vulnerability issues?

 

Kindly let is know your feedback so that we can either upgrade the given packages under the current version of storm we have or we download the newer version of storm which implicitly handles this issue.

 

Thanks in advance

 

Regards,

Adarsh



--
This message was sent by Atlassian Jira
(v8.20.1#820001)