[security-sig] Log4j vulnerabilities and OpenStack

Jeremy Stanley fungi at yuggoth.org
Mon Jan 3 16:02:14 UTC 2022


Unless you were living under a rock during most of December, you've
almost certainly seen the press surrounding the various security
vulnerabilities discovered in the Apache Log4j Java library. As
everyone reading this list hopefully knows, OpenStack is primarily
written in Python, so has little use for Java libraries in the first
place, but that hasn't stopped users from asking our VMT members if
OpenStack is affected.

While OpenStack doesn't require any Java components, I'm aware of
one Neutron driver (networking-odl) which relies on an affected
third-party service:
https://access.redhat.com/solutions/6586821

Additionally, "storm" component of SUSE OpenStack seems to be
impacted:
https://www.suse.com/c/suse-statement-on-log4j-log4shell-cve-2021-44228-vulnerability/

As does an Elasticsearch component in Sovereign Cloud Stack:
https://scs.community/security/2021/12/13/advisory-log4j/

Users should, obviously, rely on their distribution
vendors/suppliers to notify them of available updates for these. Is
anyone aware of other, similar situations where OpenStack is
commonly installed alongside Java software using Log4j in vulnerable
ways?
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220103/c5925dc2/attachment.sig>


More information about the openstack-discuss mailing list