navneet sharma
navneet sharma

Reputation: 1

fix for log4j vulnerability (CVE-2021-44228) for Apache storm?

There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability).

I found this fix on log4j website:
you may remove the **JndiLookup** class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

but I am not sure whether doing this will have any other affect on my apache storm functionality, what if JndiLookup class is used by storm internally.

What fix can I apply to my storm Installation (storm 2.2.0) for log4j vulnerability (CVE-2021-44228)?

Upvotes: 0

Views: 702

Answers (1)

Peteriman Jackson
Peteriman Jackson

Reputation: 41

There is a recent Storm 2.4.0 release in March 2022 that addressed your concerns.

Alternatively, you can manually patch it using the principles of Java class loading mechanism:

  1. Identify and download the official patches (and its dependencies) in this manner: https://mvnrepository.com/artifact/org.apache.logging.log4j

    For convenience, direct link:

  2. Replace the libraries in apache-storm-2.2.0/lib:

    log4j-core-2.11.2.jar       --> log4j-core-2.17.2.jar      
    log4j-api-2.11.2.jar        --> log4j-api-2.17.2.jar       
    log4j-slf4j-impl-2.11.2.jar --> log4j-slf4j-impl-2.17.2.jar
    
  3. Verify that the upgrade is successful:

    • Verify ANY/ALL log files are generated properly
      • Verify that nimbus.log file is generated properly
      • Negative test case is to remove the 3 libraries and nimbus.log will NOT be generated
    • The nimbus.log file prints out the 3 updated libraries in o.a.s.s.o.a.z.ZooKeeper [INFO] Client environment:java.class.path=

Upvotes: 1

Related Questions