Mitigate two Log4j vulnerabilities in Apache Storm

The Log4j version was bumped on GitHub [1] but it is still pending
inclusion in a release of Apache Storm.

Apply the alternative mitigation recommended by Log4j [2] of removing
the JndiLookup class from the classpath.

[1] apache/storm#3427
[2] https://logging.apache.org/log4j/2.x/security.html

Change-Id: Ib3ecd73f9e39e320acb2c5f0962b8af9b1a817e9
(cherry picked from commit 448e4f5)

Author: priteau

docker/storm/storm-base/Dockerfile.j2

@@ -12,6 +12,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
 {% if base_package_type == 'rpm' %}
     {% set storm_packages = [
         'java-1.8.0-openjdk-headless',
+        'zip',
     ] %}
 {% elif base_package_type == 'deb' %}
 
@@ -23,6 +24,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
 
     {% set storm_packages = [
         'openjdk-' + java_version + '-jre-headless',
+        'zip',
     ] %}
 {% endif %}
 
@@ -40,6 +42,9 @@ RUN curl -o /tmp/storm.tgz ${storm_url} \
     && tar --strip 1 -xvf /tmp/storm.tgz -C /opt/storm \
     && rm -f /tmp/storm.tgz
 
+# Mitigation for CVE-2021-44228 and CVE-2021-45046: remove the JndiLookup class
+# from the classpath
+RUN zip -q -d /opt/storm/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
 {% endblock %}
 
 {% block storm_python_version %}

releasenotes/notes/storm-log4j-vulnerability-mitigation-6746a8a0bb329485.yaml

@@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Adds mitigation for Apache Log4j 2 Remote Code Execution (RCE)
+    vulnerabilities CVE-2021-44228 and CVE-2021-45046 to Apache Storm.