[security-sig] Log4j vulnerabilities and OpenStack

Ben Nemec openstack at nemebean.com
Thu Jan 6 16:31:34 UTC 2022

On 1/3/22 10:02, Jeremy Stanley wrote:
> Unless you were living under a rock during most of December, you've
> almost certainly seen the press surrounding the various security
> vulnerabilities discovered in the Apache Log4j Java library. As
> everyone reading this list hopefully knows, OpenStack is primarily
> written in Python, so has little use for Java libraries in the first
> place, but that hasn't stopped users from asking our VMT members if
> OpenStack is affected.
> While OpenStack doesn't require any Java components, I'm aware of
> one Neutron driver (networking-odl) which relies on an affected
> third-party service:
> https://access.redhat.com/solutions/6586821
> Additionally, "storm" component of SUSE OpenStack seems to be
> impacted:
> https://www.suse.com/c/suse-statement-on-log4j-log4shell-cve-2021-44228-vulnerability/
> As does an Elasticsearch component in Sovereign Cloud Stack:
> https://scs.community/security/2021/12/13/advisory-log4j/
> Users should, obviously, rely on their distribution
> vendors/suppliers to notify them of available updates for these. Is
> anyone aware of other, similar situations where OpenStack is
> commonly installed alongside Java software using Log4j in vulnerable
> ways?

I don't know if this is common, but if you use Zookeeper for DLM I 
assume you'd be affected. It's a supported driver in Tooz so it's 
possible someone would be using it.

More information about the openstack-discuss mailing list