[security-sig][kolla] Log4j vulnerabilities and OpenStack

Radosław Piliszek radoslaw.piliszek at gmail.com
Mon Jan 10 13:47:53 UTC 2022

On Mon, 10 Jan 2022 at 14:42, Jeremy Stanley <fungi at yuggoth.org> wrote:
> On 2022-01-03 16:02:14 +0000 (+0000), Jeremy Stanley wrote:
> [...]
> > Is anyone aware of other, similar situations where OpenStack is
> > commonly installed alongside Java software using Log4j in
> > vulnerable ways?
> It came to my attention a few moments ago that Kolla installs
> Elasticsearch[*]. Is there any particular guidance we should be
> giving Kolla users about mitigating the recent Log4j vulnerabilities
> in light of this?

Yes, we have already patched the command line [1] so the guidance is
to make sure to run the latest and greatest.
It would make sense to broadcast this so that users know that log4j is
in Elasticsearch.
In Kolla, ES is used either standalone or with Monasca (and soon Venus).

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/821860


> [*] https://docs.openstack.org/kolla-ansible/latest/reference/logging-and-monitoring/central-logging-guide.html
> --
> Jeremy Stanley

More information about the openstack-discuss mailing list