Adarsh Shukla created STORM-3840:
------------------------------------
Summary: log4j vulnerability
Key: STORM-3840
URL: https://issues.apache.org/jira/browse/STORM-3840
Project: Apache Storm
Issue Type: Requirement
Affects Versions: 2.3.0
Reporter: Adarsh Shukla
Hi Team,
When we ran our vulnerability scanner we found following components has log4j
vulnerability
lib/jetty-servlets-9.4.14.v20181114.jar
lib/kafka-clients-0.11.0.3.jar
lib-tools/sql/core/protobuf-java-3.1.0.jar
lib-tools/sql/runtime/calcite-core-1.14.0.jar
lib-tools/sql/runtime/guava-16.0.1.jar
lib-tools/sql/runtime/guava-16.0.1.jar
lib-webapp/dropwizard-validation-1.3.5.jar
lib-webapp/dropwizard-validation-1.3.5.jar
lib-webapp/hibernate-validator-5.4.2.Final.jar
lib-webapp/hibernate-validator-6.0.17.Final.jar
lib-webapp/hibernate-validator-6.0.17.Final.jar
lib-webapp/jakarta.el-3.0.2.jar
Required versions to resolve vulnerabilities :
jetty-servlets > 9.4.41.v20210516
kafka-clients > 2.1.1
protobuf-java > 3.4.0
calcite-core > 1.26.0
guava > 30.0
dropwizard-validation > 1.3.21
hibernate-validator > 6.0.20
jakartha-el > 3.0.4
is there any procedure to follow to resolve this vulnerability issue while
changing the required libraries in the given storm version? or Apache Storm
team is planning to release a new version of Storm which handles the
vulnerability issues?
Kindly let is know your feedback so that we can either upgrade the given
packages under the current version of storm we have or we download the newer
version of storm which implicitly handles this issue.
Thanks in advance
Regards,
Adarsh
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
