Reputation: 1
There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability).
I found this fix on log4j website:
you may remove the **JndiLookup** class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
but I am not sure whether doing this will have any other affect on my apache storm functionality, what if JndiLookup class is used by storm internally.
What fix can I apply to my storm Installation (storm 2.2.0) for log4j vulnerability (CVE-2021-44228)?
Upvotes: 0
Views: 702
Reputation: 41
There is a recent Storm 2.4.0 release in March 2022 that addressed your concerns.
Alternatively, you can manually patch it using the principles of Java class loading mechanism:
Identify and download the official patches (and its dependencies) in this manner: https://mvnrepository.com/artifact/org.apache.logging.log4j
For convenience, direct link:
Replace the libraries in apache-storm-2.2.0/lib
:
log4j-core-2.11.2.jar --> log4j-core-2.17.2.jar
log4j-api-2.11.2.jar --> log4j-api-2.17.2.jar
log4j-slf4j-impl-2.11.2.jar --> log4j-slf4j-impl-2.17.2.jar
Verify that the upgrade is successful:
nimbus.log
file is generated properlynimbus.log
will NOT be generatednimbus.log
file prints out the 3 updated libraries in o.a.s.s.o.a.z.ZooKeeper [INFO] Client environment:java.class.path=
Upvotes: 1