[ https://issues.apache.org/jira/browse/STORM-3814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17468083#comment-17468083 ]
Franco Luong commented on STORM-3814: ------------------------------------- seems to be addressed by https://issues.apache.org/jira/projects/STORM/issues/STORM-3810 > storm-core: Remediate log4j critical vulnerabilities -> 2.16.0 or newer, > prefer 2.17.1 > -------------------------------------------------------------------------------------- > > Key: STORM-3814 > URL: https://issues.apache.org/jira/browse/STORM-3814 > Project: Apache Storm > Issue Type: Bug > Components: storm-core > Affects Versions: 1.2.3, 2.3.0 > Reporter: Franco Luong > Priority: Critical > > * [https://logging.apache.org/log4j/2.x/security.html] > > *In order to remediate these bugs with Log4j, please update Storm 2.3.0 and > 1.2.3* > * Criticals > ** Fixed in Log4j 2.16.0 (Java 8) and Log4j 2.12.2 (Java 7) > *** > [CVE-2021-45046|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046]: > Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code > execution in certain non-default configurations > ** Fixed in Log4j 2.15.0 (Java 8) > *** > [CVE-2021-44228|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228]: > Apache Log4j2 JNDI features do not protect against attacker controlled LDAP > and other JNDI related endpoints. > * Moderates > ** Fixed in Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6) > *** > [CVE-2021-44832|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832]: > Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls > configuration. > ** Fixed in Log4j 2.17.0 (Java 8), 2.12.3 (Java 7) and 2.3.1 (Java 6) > *** > [CVE-2021-45105|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105]: > Apache Log4j2 does not always protect from infinite recursion in lookup > evaluation > -- This message was sent by Atlassian Jira (v8.20.1#820001)