Log4J vulnerability - CVE-2021-44228See original GitHub issue
What kind of issue is this?
 Question. This issue tracker is not the best place for questions. If you want to ask how to do something, or to understand why something isn’t working the way you expect it to, use StackOverflow instead with the label ‘stormcrawler’: https://stackoverflow.com/questions/tagged/stormcrawler
Bug report. If you’ve found a bug, please include a test if you can, it makes it a lot easier to fix things. Use the label ‘bug’ on the issue.
Feature request. Please use the label ‘wish’ on the issue.
Adding this issue, in order to let you know that the stormcrawler project is being affected by the vulnerability documented here https://nvd.nist.gov/vuln/detail/CVE-2021-44228 related with log4j.
✘ jmartini@cacute-xps ~/workspace/storm-crawler-fork master mvn dependency:tree | grep log4j [INFO] | +- org.apache.logging.log4j:log4j-api:jar:2.11.2:provided [INFO] | +- org.apache.logging.log4j:log4j-core:jar:2.11.2:provided
we can create a PR for fixing this on our end , overriding the dependencies that are coming from apache storm dependency
- Created 2 years ago
- Comments:7 (3 by maintainers)
Top GitHub Comments
See STORM-3808. For a StormCrawler instance running on Storm removing the JndiLookup.class from the log4j-core jar shipped with Storm is highly recommended as Storm’s jar are in front of the classpath. Could be even done without stopping the process, see https://github.com/corretto/hotpatch-for-apache-log4j2
Yes, the log4j dependency needs to be overridden. Nevertheless, the enforcer plugin makes sure that this is done in all modules. Later on, with the next version of Storm, we can remove the log4j dependency.