Merge "Mitigate two Log4j vulnerabilities in Apache Storm"

2022-01-21 16:22:26 +00:00 · 2022-01-21 16:22:26 +00:00 · d7dde02653
parent f7ef6c243a 448e4f56aa
commit d7dde02653
2 changed files with 10 additions and 0 deletions
--- a/docker/storm/storm-base/Dockerfile.j2
+++ b/docker/storm/storm-base/Dockerfile.j2
@ -12,6 +12,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
 {% if base_package_type == 'rpm' %}
    {% set storm_packages = [
        'java-1.8.0-openjdk-headless',
+        'zip',
    ] %}
 {% elif base_package_type == 'deb' %}

@ -23,6 +24,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build

    {% set storm_packages = [
        'openjdk-' + java_version + '-jre-headless',
+        'zip',
    ] %}
 {% endif %}

@ -40,6 +42,9 @@ RUN curl -o /tmp/storm.tgz ${storm_url} \
    && tar --strip 1 -xvf /tmp/storm.tgz -C /opt/storm \
    && rm -f /tmp/storm.tgz

+# Mitigation for CVE-2021-44228 and CVE-2021-45046: remove the JndiLookup class
+# from the classpath
+RUN zip -q -d /opt/storm/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
 {% endblock %}

 {% block storm_python_version %}
--- a/releasenotes/notes/storm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml
+++ b/releasenotes/notes/storm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml
@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Adds mitigation for Apache Log4j 2 Remote Code Execution (RCE)
+    vulnerabilities CVE-2021-44228 and CVE-2021-45046 to Apache Storm.