Hi Team,

We have been receiving multiple issues wrt the Log4j vulnerability in storm and zookeeper packages.

Specifically in storm we found following packages which are the result of the vulnerability scan

current version storm we are using is Storm 2.3.0

lib/jetty-servlets-9.4.14.v20181114.jar
lib/kafka-clients-0.11.0.3.jar
lib-tools/sql/core/protobuf-java-3.1.0.jar
lib-tools/sql/runtime/calcite-core-1.14.0.jar
lib-tools/sql/runtime/guava-16.0.1.jar
lib-tools/sql/runtime/guava-16.0.1.jar
lib-webapp/dropwizard-validation-1.3.5.jar
lib-webapp/dropwizard-validation-1.3.5.jar
lib-webapp/hibernate-validator-5.4.2.Final.jar
lib-webapp/hibernate-validator-6.0.17.Final.jar
lib-webapp/hibernate-validator-6.0.17.Final.jar
lib-webapp/jakarta.el-3.0.2.jar


Required versions to resolve vulnerabilities :

jetty-servlets > 9.4.41.v20210516
kafka-clients > 2.1.1
protobuf-java > 3.4.0
calcite-core > 1.26.0
guava > 30.0
dropwizard-validation > 1.3.21
hibernate-validator > 6.0.20
jakartha-el > 3.0.4


and for zookeeper aswell we would need the fix to handle log4j vulnerability issue, as of now we see the zookeeper is not effected but we would like to understand if there is any plan to upgrade the zookeeper package in future which minimize the vulnerability issue?

Thanks in advance

Regards,
Adarsh

Please open an issue against Apache Zookeeper and / or Apache Storm here:
https://issues.apache.org/jira/secure/Dashboard.jspa