Mitigate two Log4j vulnerabilities in Apache Storm

The Log4j version was bumped on GitHub [1] but it is still pending inclusion in a release of Apache Storm. Apply the alternative mitigation recommended by Log4j [2] of removing the JndiLookup class from the classpath. [1] apache/storm#3427 [2] https://logging.apache.org/log4j/2.x/security.html Change-Id: Ib3ecd73f9e39e320acb2c5f0962b8af9b1a817e9 (cherry picked from commit 448e4f5)
openstack · Jan 27, 2022 · fe9b3cc · fe9b3cc
1 parent b22f8f6
commit fe9b3cc
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/docker/storm/storm-base/Dockerfile.j2 b/docker/storm/storm-base/Dockerfile.j2
@@ -10,6 +10,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
 {% if base_package_type == 'rpm' %}
     {% set storm_packages = [
         'java-1.8.0-openjdk-headless',
+        'zip',
     ] %}
 {% elif base_package_type == 'deb' %}
 
@@ -21,6 +22,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
 
     {% set storm_packages = [
         'openjdk-' + java_version + '-jre-headless',
+        'zip',
     ] %}
 {% endif %}
 
@@ -38,6 +40,9 @@ RUN curl -sSL -o /tmp/storm.tgz ${storm_url} \
     && tar --strip 1 -xvf /tmp/storm.tgz -C /opt/storm \
     && rm -f /tmp/storm.tgz
 
+# Mitigation for CVE-2021-44228 and CVE-2021-45046: remove the JndiLookup class
+# from the classpath
+RUN zip -q -d /opt/storm/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
 {% endblock %}
 
 {% block storm_python_version %}

diff --git a/releasenotes/notes/storm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml b/releasenotes/notes/storm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml
@@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Adds mitigation for Apache Log4j 2 Remote Code Execution (RCE)
+    vulnerabilities CVE-2021-44228 and CVE-2021-45046 to Apache Storm.