Re: How to address log4j vulnerability in Storm 1.2.2

Hi Carmen, I haven't tested that solution myself yet, but in theory it could work. You can try that in a dev machine. Try to replace the log4j JARs shipped with your version of storm with the latest one and try to spot any runtime errors. On Tue, Jan 11, 2022, 23:28 Carmen Molatch wrote: > Hell

Re: How to address log4j vulnerability in Storm 1.2.2

Hello Rui. Thanks for your response. I implemented the change recommended in your link several weeks ago, however, the company is asking to upgrade the log4j* files to 2.17.1. So, can I simply replace the 2.8.2 log4j* files in Storm 1.2.2. or do I upgrade. I checked the latest storm release

Re: How to address log4j vulnerability in Storm 1.2.2

You can follow the instructions from the Apache Log4j project and just remove the JndiLookup class from the classpath: - zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class On Tue, 11 Jan 2022 at 20:42, Carm

How to address log4j vulnerability in Storm 1.2.2

Hello We have Storm 1.2.2. Do I need to upgrade to a later version or can I replace the log4j* files (2.8.2) with the latest 2.17.1 files? Is that advisable or should it be avoided? Thank you Carmen