[ https://issues.apache.org/jira/browse/STORM-3812?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Richard Zowalla closed STORM-3812. ---------------------------------- Resolution: Fixed > Storm release packages log4j v1 > ------------------------------- > > Key: STORM-3812 > URL: https://issues.apache.org/jira/browse/STORM-3812 > Project: Apache Storm > Issue Type: Improvement > Reporter: Liang Zhao > Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > log4j v1 is at it's EOL, but due to some implicit package references in > maven, some tools/libs is still packaging log4j. All latest releases are all > being impacted. > > Packages impacted: > * storm-autocreds > * storm-kafka-monitor > > It would be good to fix/release this together with log4j v2 recent CVEs, thus > vulnerability scan will be clear for log4j vulnerability. > -- This message was sent by Atlassian Jira (v8.20.10#820010)