[security-sig] Log4j vulnerabilities and OpenStack

Ben Nemec openstack at nemebean.com
Thu Jan 6 17:16:08 UTC 2022



On 1/6/22 10:40, Jeremy Stanley wrote:
> On 2022-01-06 10:31:34 -0600 (-0600), Ben Nemec wrote:
> [...]
>> I don't know if this is common, but if you use Zookeeper for DLM I
>> assume you'd be affected. It's a supported driver in Tooz so it's
>> possible someone would be using it.
> 
> Thanks, that's a good point! I recall when we were investigating it
> with regard to Zuul (which relies on ZK for state coordination and
> persistence), the conclusion was that it isn't impacted by the
> recent vulnerabilities. I found this brief explanation, but maybe
> that's outdated information?
> https://issues.apache.org/jira/browse/ZOOKEEPER-4423
> 

Ah, so zookeeper was one of the projects using a version of log4j so 
ancient it wasn't affected. :-)

I was just thinking of Java stuff that might be running alongside 
OpenStack, I don't know anything that contradicts the issue you linked.



More information about the openstack-discuss mailing list