On Thu, 13 Jan 2022 at 22:30, Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2022-01-13 22:17:43 +0100 (+0100), Pierre Riteau wrote: [...]
This part has several issues: [...]
Thanks for the detailed breakdown! I'll try to come up with a summary which retains accuracy while focusing on actionable recommendations, though I'll need to go over it a few more times and think on it for a bit before I can put together a new draft.
- Storm: possibly vulnerable? Pull requests in github.com/apache/storm have bumped Log4j versions, but no new release has been issued yet. Kolla uses version 1.2.2. I am looking at adding a mitigation for CVE-2021-45046 based on removing the JndiLookup class from the classpath. [...]
Could that be the same as this?
I believe so. This lead me to [1] and [2] which have more details. SUSE opted to remove the JndiLookup class from log4j 2.x jars during build. I've actually already submitted a Kolla patch to apply the same mitigation: https://review.opendev.org/c/openstack/kolla/+/824651 [1] https://lists.suse.com/pipermail/sle-security-updates/2021-December/009911.h... [2] https://bugzilla.suse.com/show_bug.cgi?id=1193641
SUSE OpenStack --------------
The "storm" component of SUSE OpenStack seems to be impacted: https://www.suse.com/c/suse-statement-on-log4j-log4shell-cve-2021-44228-vuln... [...]
-- Jeremy Stanley