Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Log4J vulnerability - CVE-2021-44228
See original GitHub issueWhat kind of issue is this?
-
[] Question. This issue tracker is not the best place for questions. If you want to ask how to do something, or to understand why something isn’t working the way you expect it to, use StackOverflow instead with the label ‘stormcrawler’: https://stackoverflow.com/questions/tagged/stormcrawler
-
Bug report. If you’ve found a bug, please include a test if you can, it makes it a lot easier to fix things. Use the label ‘bug’ on the issue.
-
Feature request. Please use the label ‘wish’ on the issue.
Thanks!
Adding this issue, in order to let you know that the stormcrawler project is being affected by the vulnerability documented here https://nvd.nist.gov/vuln/detail/CVE-2021-44228 related with log4j.
✘ jmartini@cacute-xps ~/workspace/storm-crawler-fork master mvn dependency:tree | grep log4j
[INFO] | +- org.apache.logging.log4j:log4j-api:jar:2.11.2:provided
[INFO] | +- org.apache.logging.log4j:log4j-core:jar:2.11.2:provided
we can create a PR for fixing this on our end , overriding the dependencies that are coming from apache storm dependency
Issue Analytics
- State:
- Created 2 years ago
- Comments:7 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
See STORM-3808. For a StormCrawler instance running on Storm removing the JndiLookup.class from the log4j-core jar shipped with Storm is highly recommended as Storm’s jar are in front of the classpath. Could be even done without stopping the process, see https://github.com/corretto/hotpatch-for-apache-log4j2
Yes, the log4j dependency needs to be overridden. Nevertheless, the enforcer plugin makes sure that this is done in all modules. Later on, with the next version of Storm, we can remove the log4j dependency.