[security-sig][kolla] Log4j vulnerabilities and OpenStack
radoslaw.piliszek at gmail.com
Mon Jan 10 14:44:41 UTC 2022
On Mon, 10 Jan 2022 at 14:58, Jeremy Stanley <fungi at yuggoth.org> wrote:
> On 2022-01-10 14:47:53 +0100 (+0100), Radosław Piliszek wrote:
> > Yes, we have already patched the command line  so the guidance
> > is to make sure to run the latest and greatest. It would make
> > sense to broadcast this so that users know that log4j is in
> > Elasticsearch. In Kolla, ES is used either standalone or with
> > Monasca (and soon Venus).
> >  https://review.opendev.org/c/openstack/kolla-ansible/+/821860
> Is the presence/absence of Elasticsearch determined by configuration
> options, or is it always installed and run when Kolla is used?
Determined by configuration. It is not present by default - only if
installed on demand, by enabling central logging, Monasca or some
other dependent component.
> Jeremy Stanley
More information about the openstack-discuss