fix for log4j vulnerability (CVE-2021-44228) for Apache storm?

Question

There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability).

I found this fix on log4j website:
you may remove the **JndiLookup** class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

but I am not sure whether doing this will have any other affect on my apache storm functionality, what if JndiLookup class is used by storm internally.

What fix can I apply to my storm Installation (storm 2.2.0) for log4j vulnerability (CVE-2021-44228)?

Answer 1

There is a recent Storm 2.4.0 release in March 2022 that addressed your concerns.

Alternatively, you can manually patch it using the principles of Java class loading mechanism:

1. Identify and download the official patches (and its dependencies) in this manner: https://mvnrepository.com/artifact/org.apache.logging.log4j

   For convenience, direct link:

   • log4j-core-2.17.2.jar
   • log4j-api-2.17.2.jar
   • log4j-slf4j-impl-2.17.2.jar

2. Replace the libraries in apache-storm-2.2.0/lib:

   log4j-core-2.11.2.jar       --> log4j-core-2.17.2.jar      
   log4j-api-2.11.2.jar        --> log4j-api-2.17.2.jar       
   log4j-slf4j-impl-2.11.2.jar --> log4j-slf4j-impl-2.17.2.jar
   

3. Verify that the upgrade is successful:

   • Verify ANY/ALL log files are generated properly
     • Verify that nimbus.log file is generated properly
     • Negative test case is to remove the 3 libraries and nimbus.log will NOT be generated
   • The nimbus.log file prints out the 3 updated libraries in o.a.s.s.o.a.z.ZooKeeper [INFO] Client environment:java.class.path=