On Mon, 10 Jan 2022 at 14:42, Jeremy Stanley <fungi at yuggoth.org> wrote: > > On 2022-01-03 16:02:14 +0000 (+0000), Jeremy Stanley wrote: > [...] > > Is anyone aware of other, similar situations where OpenStack is > > commonly installed alongside Java software using Log4j in > > vulnerable ways? > > It came to my attention a few moments ago that Kolla installs > Elasticsearch[*]. Is there any particular guidance we should be > giving Kolla users about mitigating the recent Log4j vulnerabilities > in light of this? Yes, we have already patched the command line [1] so the guidance is to make sure to run the latest and greatest. It would make sense to broadcast this so that users know that log4j is in Elasticsearch. In Kolla, ES is used either standalone or with Monasca (and soon Venus). [1] https://review.opendev.org/c/openstack/kolla-ansible/+/821860 -yoctozepto > [*] https://docs.openstack.org/kolla-ansible/latest/reference/logging-and-monitoring/central-logging-guide.html > > -- > Jeremy Stanley