[tripleo][ussuri] Log4j add protection to haproxy {even it is not impacted
Ruslanas Gžibovskis
ruslanas at lpic.lt
Wed Dec 22 11:22:04 UTC 2021
yes, but I am just curious how to add it during deployment step. Log4j is
just an example. And in our case, OSP does not have Log4j, our sec team is
very new, so they are excited, as it is the first zeroday for them ;)
On Fri, 17 Dec 2021 at 18:49, Clark Boylan <cboylan at sapwetik.org> wrote:
> On Fri, Dec 17, 2021, at 5:31 AM, Ruslanas Gžibovskis LPIC wrote:
> > Hi team,
> >
> > Thanks to this Log4j I finally found time to read around, how to add
> > additional settings/options to haproxy config, especially, I would like
> > to apply haproxy steps to hide log4j vulns.
> >
> > I know I know, OSP looks not to be impacted, unless we have some
> > components such as opendaylight which might have Log4j applied.
> >
> > Does anyone has example for yaml file?
> >
> > Thanks in advance.
>
> It is my understanding that the log messages magic syntax in log4j is
> sophisticated enough that filtering via proxies is problematic and unlikely
> to catch everything. You'll be filtering simple attacks and letting
> sophisticated actors through. You are much better off upgrading log4j or
> disabling the JNDI class entirely in the jar. I wouldn't rely on haproxy
> for this.
>
>
--
Ruslanas Gžibovskis
+370 6030 7030
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20211222/829c308b/attachment.htm>
More information about the openstack-discuss
mailing list