Thanks to the excellent feedback from Radosław Piliszek and Pierre Riteau, the list of things for operators to look out for has grown a bit. Is anyone else aware of other, similar situations where OpenStack is commonly installed alongside Java software using Log4j in vulnerable ways? I think this list is becoming extensive enough we could consider publishing it in a security note (OSSN)... Kolla-Ansible Central Logging ----------------------------- If you're deploying with Kolla-Ansible and have enabled central logging, then it's installing a copy of Elasticsearch (7.13.4 currently, which includes Log4j 2.11.1). According to a statement from Elastic's developers, the relevant risks can be mitigated by passing "-Dlog4j2.formatMsgNoLookups=true" on the JVM's command line. All images built after December 21, 2021 have this workaround applied, with the exception of images for Train which did not get that patch merged until January 7, 2021. The statement from Elastic about the workaround can be found here: https://xeraa.net/blog/2021_mitigate-log4j2-log4shell-elasticsearch/ CloudKitty, Monasca, and OSProfiler ----------------------------------- If you're deploying CloudKitty, Monasca, or OSProfiler, you may be using Elasticsearch as a storage back-end for these services. Make sure you update it or put a suitable mitigation in place. Anyone deploying one or more of these services with Kolla-Ansible is running Elasticsearch, but should be covered so long as they update to the latest available images for their release series, as noted above. Networking-ODL -------------- Neutron's Networking-ODL driver relies on the Java-based OpenDaylight service, which should be updated if used: https://access.redhat.com/solutions/6586821 SUSE OpenStack -------------- The "storm" component of SUSE OpenStack seems to be impacted: https://www.suse.com/c/suse-statement-on-log4j-log4shell-cve-2021-44228-vuln... Sovereign Cloud Stack --------------------- An Elasticsearch component in Sovereign Cloud Stack is affected: https://scs.community/security/2021/12/13/advisory-log4j/ -- Jeremy Stanley