[ https://issues.apache.org/jira/browse/STORM-3809?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ethan Li closed STORM-3809. --------------------------- > CVE-2021-44228 Log4Shell: upgrade log4j2 > ---------------------------------------- > > Key: STORM-3809 > URL: https://issues.apache.org/jira/browse/STORM-3809 > Project: Apache Storm > Issue Type: Bug > Components: storm-core > Affects Versions: 2.3.0, 2.2.1 > Reporter: Antoine Tran > Priority: Critical > > Recent critical CVE about log4shell > ([https://www.cvedetails.com/cve/CVE-2021-44228/)] affects Storm. (Eg: in > Storm 2.2.0, it uses log4j-api-2.11.2.jar) Any log4j2 between 2.0 and 2.14 is > affected. > > I did not found any issue or news related to Apache Storm and a fix. So I > create this ticket to track it down. > Please upgrade to latest Log4j2 >= 2.16.0 (see > [https://search.maven.org/artifact/org.apache.logging.log4j/log4j/2.16.0/pom)] > in both 2.2.X and 2.3.X Storm branches. Thank you! > -- This message was sent by Atlassian Jira (v8.20.1#820001)