On 2022-01-13 22:17:43 +0100 (+0100), Pierre Riteau wrote: [...]
This part has several issues: [...]
Thanks for the detailed breakdown! I'll try to come up with a summary which retains accuracy while focusing on actionable recommendations, though I'll need to go over it a few more times and think on it for a bit before I can put together a new draft.
- Storm: possibly vulnerable? Pull requests in github.com/apache/storm have bumped Log4j versions, but no new release has been issued yet. Kolla uses version 1.2.2. I am looking at adding a mitigation for CVE-2021-45046 based on removing the JndiLookup class from the classpath. [...]
Could that be the same as this?
SUSE OpenStack --------------
The "storm" component of SUSE OpenStack seems to be impacted: https://www.suse.com/c/suse-statement-on-log4j-log4shell-cve-2021-44228-vuln... [...]
-- Jeremy Stanley