[tripleo][ussuri] Log4j add protection to haproxy {even it is not impacted

Clark Boylan cboylan at sapwetik.org
Fri Dec 17 16:42:09 UTC 2021

On Fri, Dec 17, 2021, at 5:31 AM, Ruslanas Gžibovskis LPIC wrote:
> Hi team,
> Thanks to this Log4j I finally found time to read around, how to add 
> additional settings/options to haproxy config, especially, I would like 
> to apply haproxy steps to hide log4j vulns.
> I know I know, OSP looks not to be impacted, unless we have some 
> components such as opendaylight which might have Log4j applied.
> Does anyone has example for yaml file?
> Thanks in advance.

It is my understanding that the log messages magic syntax in log4j is sophisticated enough that filtering via proxies is problematic and unlikely to catch everything. You'll be filtering simple attacks and letting sophisticated actors through. You are much better off upgrading log4j or disabling the JNDI class entirely in the jar. I wouldn't rely on haproxy for this.

More information about the openstack-discuss mailing list