[security-sig][kolla] Log4j vulnerabilities and OpenStack

Jeremy Stanley fungi at yuggoth.org
Mon Jan 10 16:27:09 UTC 2022


On 2022-01-10 15:44:41 +0100 (+0100), Radosław Piliszek wrote:
> On Mon, 10 Jan 2022 at 14:58, Jeremy Stanley <fungi at yuggoth.org> wrote:
> >
> > On 2022-01-10 14:47:53 +0100 (+0100), Radosław Piliszek wrote:
> > [...]
> > > Yes, we have already patched the command line [1] so the guidance
> > > is to make sure to run the latest and greatest. It would make
> > > sense to broadcast this so that users know that log4j is in
> > > Elasticsearch. In Kolla, ES is used either standalone or with
> > > Monasca (and soon Venus).
> > >
> > > [1] https://review.opendev.org/c/openstack/kolla-ansible/+/821860
> > [...]
> >
> > Is the presence/absence of Elasticsearch determined by configuration
> > options, or is it always installed and run when Kolla is used?
> 
> Determined by configuration. It is not present by default - only if
> installed on demand, by enabling central logging, Monasca or some
> other dependent component.

Thanks for the details, and apologies for all the sudden questions.
Is there a list of which components (aside from the aforementioned
central logging and Monasca) which pull Elasticsearch into the
deployment?

Also, does Kolla build/distribute its own Elasticsearch images or
reuse some maintained by an outside party? And what version(s) of
Elasticsearch and Log4j end up installed?
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220110/8ff82875/attachment.sig>


More information about the openstack-discuss mailing list