Open Stack

On 1/3/22 10:02, Jeremy Stanley wrote:
> Unless you were living under a rock during most of December, you've
> almost certainly seen the press surrounding the various security
> vulnerabilities discovered in the Apache Log4j Java library. As
> everyone reading this list hopefully knows, OpenStack is primarily
> written in Python, so has little use for Java libraries in the first
> place, but that hasn't stopped users from asking our VMT members if
> OpenStack is affected.
> 
> While OpenStack doesn't require any Java components, I'm aware of
> one Neutron driver (networking-odl) which relies on an affected
> third-party service:
> https://access.redhat.com/solutions/6586821
> 
> Additionally, "storm" component of SUSE OpenStack seems to be
> impacted:
> https://www.suse.com/c/suse-statement-on-log4j-log4shell-cve-2021-44228-vulnerability/
> 
> As does an Elasticsearch component in Sovereign Cloud Stack:
> https://scs.community/security/2021/12/13/advisory-log4j/
> 
> Users should, obviously, rely on their distribution
> vendors/suppliers to notify them of available updates for these. Is
> anyone aware of other, similar situations where OpenStack is
> commonly installed alongside Java software using Log4j in vulnerable
> ways?
> 

I don't know if this is common, but if you use Zookeeper for DLM I 
assume you'd be affected. It's a supported driver in Tooz so it's 
possible someone would be using it.