[
https://issues.apache.org/jira/browse/STORM-3840?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Richard Zowalla resolved STORM-3840.
------------------------------------
Fix Version/s: 2.6.0
Resolution: Fixed
> log4j vulnerability
> -------------------
>
> Key: STORM-3840
> URL: https://issues.apache.org/jira/browse/STORM-3840
> Project: Apache Storm
> Issue Type: Requirement
> Affects Versions: 2.3.0
> Reporter: Adarsh Shukla
> Priority: Major
> Fix For: 2.6.0
>
>
> Hi Team,
>
> When we ran our vulnerability scanner we found following components has log4j
> vulnerability
> lib/jetty-servlets-9.4.14.v20181114.jar
> lib/kafka-clients-0.11.0.3.jar
> lib-tools/sql/core/protobuf-java-3.1.0.jar
> lib-tools/sql/runtime/calcite-core-1.14.0.jar
> lib-tools/sql/runtime/guava-16.0.1.jar
> lib-tools/sql/runtime/guava-16.0.1.jar
> lib-webapp/dropwizard-validation-1.3.5.jar
> lib-webapp/dropwizard-validation-1.3.5.jar
> lib-webapp/hibernate-validator-5.4.2.Final.jar
> lib-webapp/hibernate-validator-6.0.17.Final.jar
> lib-webapp/hibernate-validator-6.0.17.Final.jar
> lib-webapp/jakarta.el-3.0.2.jar
>
> Required versions to resolve vulnerabilities :
>
> jetty-servlets > 9.4.41.v20210516
> kafka-clients > 2.1.1
> protobuf-java > 3.4.0
> calcite-core > 1.26.0
> guava > 30.0
> dropwizard-validation > 1.3.21
> hibernate-validator > 6.0.20
> jakartha-el > 3.0.4
>
> is there any procedure to follow to resolve this vulnerability issue while
> changing the required libraries in the given storm version? or Apache Storm
> team is planning to release a new version of Storm which handles the
> vulnerability issues?
>
> Kindly let is know your feedback so that we can either upgrade the given
> packages under the current version of storm we have or we download the newer
> version of storm which implicitly handles this issue.
>
> Thanks in advance
>
> Regards,
> Adarsh
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
