From 891396f7b6935c3716b195651dad332e03180d77 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 13 Jan 2022 22:35:27 +0100 Subject: [PATCH] Mitigate two Log4j vulnerabilities in Apache Storm The Log4j version was bumped on GitHub [1] but it is still pending inclusion in a release of Apache Storm. Apply the alternative mitigation recommended by Log4j [2] of removing the JndiLookup class from the classpath. [1] https://github.com/apache/storm/pull/3427 [2] https://logging.apache.org/log4j/2.x/security.html Change-Id: Ib3ecd73f9e39e320acb2c5f0962b8af9b1a817e9 (cherry picked from commit 448e4f56aa6218a66b0074329d322c0b6089b2e6) --- docker/storm/storm-base/Dockerfile.j2 | 5 +++++ ...torm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml | 5 +++++ 2 files changed, 10 insertions(+) create mode 100644 releasenotes/notes/storm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml diff --git a/docker/storm/storm-base/Dockerfile.j2 b/docker/storm/storm-base/Dockerfile.j2 index 0f6fecbe1c..cc07ff5ffb 100644 --- a/docker/storm/storm-base/Dockerfile.j2 +++ b/docker/storm/storm-base/Dockerfile.j2 @@ -12,6 +12,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% if base_package_type == 'rpm' %} {% set storm_packages = [ 'java-1.8.0-openjdk-headless', + 'zip', ] %} {% elif base_package_type == 'deb' %} @@ -23,6 +24,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% set storm_packages = [ 'openjdk-' + java_version + '-jre-headless', + 'zip', ] %} {% endif %} @@ -40,6 +42,9 @@ RUN curl -o /tmp/storm.tgz ${storm_url} \ && tar --strip 1 -xvf /tmp/storm.tgz -C /opt/storm \ && rm -f /tmp/storm.tgz +# Mitigation for CVE-2021-44228 and CVE-2021-45046: remove the JndiLookup class +# from the classpath +RUN zip -q -d /opt/storm/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class {% endblock %} {% block storm_python_version %} diff --git a/releasenotes/notes/storm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml b/releasenotes/notes/storm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml new file mode 100644 index 0000000000..5126662ad0 --- /dev/null +++ b/releasenotes/notes/storm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml @@ -0,0 +1,5 @@ +--- +security: + - | + Adds mitigation for Apache Log4j 2 Remote Code Execution (RCE) + vulnerabilities CVE-2021-44228 and CVE-2021-45046 to Apache Storm.