Hi Jason,
- I researched that based on commit history, v0.10.2 uses log4j 2.1.
From the upgraded commits path in master branch, 2.1 -> 2.8 -> 2.8.2 -> 2.11.1 -> 2.11.2 -> 2.16.0 -> 2.17.0 -> 2.17.1.
The dependency is isolated and can be upgraded individually.
- I discussed with Bipin and that while there is no release planned for v0.10.2, you can still manually patch it.
Rationale being that Storm utilises the Java class loading mechanism, and dependencies can be individually upgraded.
- I have successfully patched v0.10.2 using the principles of Java class loading mechanism.
It is by manually replacing the 3 log4j JAR files in apache-storm-0.10.2/lib folder:
-
Identify and download the official patches (and its dependencies) in this manner:
https://mvnrepository.com/artifact/org.apache.logging.log4j
For convenience, direct link: -
Replace the libraries in apache-storm-0.10.2/lib:
log4j-core-2.1.jar --> log4j-core-2.17.2.jar
log4j-api-2.1.jar --> log4j-api-2.17.2.jar
log4j-slf4j-impl-2.1.jar --> log4j-slf4j-impl-2.17.2.jar
-
Verify that the upgrade is successful:
-
Verify ANY/ALL log files are generated properly
-
Verify that nimbus.log file is generated properly
-
Negative test case is to remove the 3 libraries and nimbus.log will NOT be generated
-
-
The nimbus.log file prints out the 3 updated libraries in o.a.s.s.o.a.z.ZooKeeper [INFO] Client environment:java.class.path
-
-
--Peteriman
On 2022/04/21 00:37:22 Jason Tan wrote:
> Hi Bipin,
> Noted with thanks.
>
> Sent from Yahoo Mail on Android
>
> On Wed, 20 Apr 2022 at 10:36 pm, Bipin Prasad wrote: Hello Jason,
> No release is planned for 0.10.2.
>
> --Bipin
>
> On 2022/04/06 15:16:46 Jason Tan wrote:
> > Hi Apache Storm team,
> > I noticed there is a release for Storm 2.4 which fixes the log4j CVE-2021-44228 + CVE-2021-45046.Also noted that fixed versions for the CVEs include Storm 2.4.0, 2.3.1, 1.2.5, 2.2.2, 2.1.2.
> > Unfortunately we are using Storm 0.10.2. Can I check if there is / will be a official fix for Storm 0.10.x for the CVEs mentioned?
> > Thanks in advance
>
>
On 2022/04/21 00:37:22 Jason Tan wrote:
> Hi Bipin,
> Noted with thanks.
>
> Sent from Yahoo Mail on Android
>
> On Wed, 20 Apr 2022 at 10:36 pm, Bipin Prasad wrote: Hello Jason,
> No release is planned for 0.10.2.
>
> --Bipin
>
> On 2022/04/06 15:16:46 Jason Tan wrote:
> > Hi Apache Storm team,
> > I noticed there is a release for Storm 2.4 which fixes the log4j CVE-2021-44228 + CVE-2021-45046.Also noted that fixed versions for the CVEs include Storm 2.4.0, 2.3.1, 1.2.5, 2.2.2, 2.1.2.
> > Unfortunately we are using Storm 0.10.2. Can I check if there is / will be a official fix for Storm 0.10.x for the CVEs mentioned?
> > Thanks in advance
>
>
