[security-sig][kolla] Log4j vulnerabilities and OpenStack
fungi at yuggoth.org
Mon Jan 10 16:27:09 UTC 2022
On 2022-01-10 15:44:41 +0100 (+0100), Radosław Piliszek wrote:
> On Mon, 10 Jan 2022 at 14:58, Jeremy Stanley <fungi at yuggoth.org> wrote:
> > On 2022-01-10 14:47:53 +0100 (+0100), Radosław Piliszek wrote:
> > [...]
> > > Yes, we have already patched the command line  so the guidance
> > > is to make sure to run the latest and greatest. It would make
> > > sense to broadcast this so that users know that log4j is in
> > > Elasticsearch. In Kolla, ES is used either standalone or with
> > > Monasca (and soon Venus).
> > >
> > >  https://review.opendev.org/c/openstack/kolla-ansible/+/821860
> > [...]
> > Is the presence/absence of Elasticsearch determined by configuration
> > options, or is it always installed and run when Kolla is used?
> Determined by configuration. It is not present by default - only if
> installed on demand, by enabling central logging, Monasca or some
> other dependent component.
Thanks for the details, and apologies for all the sudden questions.
Is there a list of which components (aside from the aforementioned
central logging and Monasca) which pull Elasticsearch into the
Also, does Kolla build/distribute its own Elasticsearch images or
reuse some maintained by an outside party? And what version(s) of
Elasticsearch and Log4j end up installed?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 963 bytes
Desc: not available
More information about the openstack-discuss