[ https://issues.apache.org/jira/browse/STORM-3840?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Richard Zowalla resolved STORM-3840. ------------------------------------ Fix Version/s: 2.6.0 Resolution: Fixed > log4j vulnerability > ------------------- > > Key: STORM-3840 > URL: https://issues.apache.org/jira/browse/STORM-3840 > Project: Apache Storm > Issue Type: Requirement > Affects Versions: 2.3.0 > Reporter: Adarsh Shukla > Priority: Major > Fix For: 2.6.0 > > > Hi Team, > > When we ran our vulnerability scanner we found following components has log4j > vulnerability > lib/jetty-servlets-9.4.14.v20181114.jar > lib/kafka-clients-0.11.0.3.jar > lib-tools/sql/core/protobuf-java-3.1.0.jar > lib-tools/sql/runtime/calcite-core-1.14.0.jar > lib-tools/sql/runtime/guava-16.0.1.jar > lib-tools/sql/runtime/guava-16.0.1.jar > lib-webapp/dropwizard-validation-1.3.5.jar > lib-webapp/dropwizard-validation-1.3.5.jar > lib-webapp/hibernate-validator-5.4.2.Final.jar > lib-webapp/hibernate-validator-6.0.17.Final.jar > lib-webapp/hibernate-validator-6.0.17.Final.jar > lib-webapp/jakarta.el-3.0.2.jar > > Required versions to resolve vulnerabilities : > > jetty-servlets > 9.4.41.v20210516 > kafka-clients > 2.1.1 > protobuf-java > 3.4.0 > calcite-core > 1.26.0 > guava > 30.0 > dropwizard-validation > 1.3.21 > hibernate-validator > 6.0.20 > jakartha-el > 3.0.4 > > is there any procedure to follow to resolve this vulnerability issue while > changing the required libraries in the given storm version? or Apache Storm > team is planning to release a new version of Storm which handles the > vulnerability issues? > > Kindly let is know your feedback so that we can either upgrade the given > packages under the current version of storm we have or we download the newer > version of storm which implicitly handles this issue. > > Thanks in advance > > Regards, > Adarsh -- This message was sent by Atlassian Jira (v8.20.10#820010)