Hi Team, We have been receiving multiple issues wrt the Log4j vulnerability in storm and zookeeper packages. Specifically in storm we found following packages which are the result of the vulnerability scan current version storm we are using is Storm 2.3.0 lib/jetty-servlets-9.4.14.v20181114.jar lib/kafka-clients-0.11.0.3.jar lib-tools/sql/core/protobuf-java-3.1.0.jar lib-tools/sql/runtime/calcite-core-1.14.0.jar lib-tools/sql/runtime/guava-16.0.1.jar lib-tools/sql/runtime/guava-16.0.1.jar lib-webapp/dropwizard-validation-1.3.5.jar lib-webapp/dropwizard-validation-1.3.5.jar lib-webapp/hibernate-validator-5.4.2.Final.jar lib-webapp/hibernate-validator-6.0.17.Final.jar lib-webapp/hibernate-validator-6.0.17.Final.jar lib-webapp/jakarta.el-3.0.2.jar Required versions to resolve vulnerabilities : jetty-servlets > 9.4.41.v20210516 kafka-clients > 2.1.1 protobuf-java > 3.4.0 calcite-core > 1.26.0 guava > 30.0 dropwizard-validation > 1.3.21 hibernate-validator > 6.0.20 jakartha-el > 3.0.4 and for zookeeper aswell we would need the fix to handle log4j vulnerability issue, as of now we see the zookeeper is not effected but we would like to understand if there is any plan to upgrade the zookeeper package in future which minimize the vulnerability issue? Thanks in advance Regards, Adarsh
Please open an issue against Apache Zookeeper and / or Apache Storm here: https://issues.apache.org/jira/secure/Dashboard.jspa