On 1/3/22 10:02, Jeremy Stanley wrote:
Unless you were living under a rock during most of December, you've almost certainly seen the press surrounding the various security vulnerabilities discovered in the Apache Log4j Java library. As everyone reading this list hopefully knows, OpenStack is primarily written in Python, so has little use for Java libraries in the first place, but that hasn't stopped users from asking our VMT members if OpenStack is affected.
While OpenStack doesn't require any Java components, I'm aware of one Neutron driver (networking-odl) which relies on an affected third-party service: https://access.redhat.com/solutions/6586821
Additionally, "storm" component of SUSE OpenStack seems to be impacted: https://www.suse.com/c/suse-statement-on-log4j-log4shell-cve-2021-44228-vuln...
As does an Elasticsearch component in Sovereign Cloud Stack: https://scs.community/security/2021/12/13/advisory-log4j/
Users should, obviously, rely on their distribution vendors/suppliers to notify them of available updates for these. Is anyone aware of other, similar situations where OpenStack is commonly installed alongside Java software using Log4j in vulnerable ways?
I don't know if this is common, but if you use Zookeeper for DLM I assume you'd be affected. It's a supported driver in Tooz so it's possible someone would be using it.