Hi Team, As per suggestion provided earlier of removing JndiLookup.class from storm lib, we have already incorporated it. We want to move to permanent fix for log4j vulnerability and we have the question below for it where we need community help/suggestions.
1. I can see ongoing discussion for incorporating the 2.17.x log4j version in the latest version of storm ((STORM-3810) and PR (3427)). We are using Storm 2.1.0, any comments if there will be any release for 2.1.x version for log4j fix or only option is to upgrade to the latest stable release of storm having log4j latest jar fix incorporated. 2. If we continue to use storm 2.1.0, and if we replace log4j-core-2.11.2.jar with the latest log4-core-2.17.1.jar in the storm library, what kind of issues can we anticipate? Also is this approach feasible and advisible -- *Thanks and Regards* * Sagar B. Chandak*
