Mitigate two Log4j vulnerabilities in Apache Storm

The Log4j version was bumped on GitHub [1] but it is still pending inclusion in a release of Apache Storm. Apply the alternative mitigation recommended by Log4j [2] of removing the JndiLookup class from the classpath. [1] https://github.com/apache/storm/pull/3427 [2] https://logging.apache.org/log4j/2.x/security.html Change-Id: Ib3ecd73f9e39e320acb2c5f0962b8af9b1a817e9
2022-01-13 22:35:27 +01:00 · 2022-01-13 22:35:27 +01:00 · 448e4f56aa
commit 448e4f56aa
parent 788e340f37
2 changed files with 10 additions and 0 deletions
--- a/docker/storm/storm-base/Dockerfile.j2
+++ b/docker/storm/storm-base/Dockerfile.j2
@ -12,6 +12,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
 {% if base_package_type == 'rpm' %}
    {% set storm_packages = [
        'java-1.8.0-openjdk-headless',
+        'zip',
    ] %}
 {% elif base_package_type == 'deb' %}

@ -23,6 +24,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build

    {% set storm_packages = [
        'openjdk-' + java_version + '-jre-headless',
+        'zip',
    ] %}
 {% endif %}

@ -40,6 +42,9 @@ RUN curl -o /tmp/storm.tgz ${storm_url} \
    && tar --strip 1 -xvf /tmp/storm.tgz -C /opt/storm \
    && rm -f /tmp/storm.tgz

+# Mitigation for CVE-2021-44228 and CVE-2021-45046: remove the JndiLookup class
+# from the classpath
+RUN zip -q -d /opt/storm/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
 {% endblock %}

 {% block storm_python_version %}
--- a/releasenotes/notes/storm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml
+++ b/releasenotes/notes/storm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml
@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Adds mitigation for Apache Log4j 2 Remote Code Execution (RCE)
+    vulnerabilities CVE-2021-44228 and CVE-2021-45046 to Apache Storm.