[security-sig][kolla] Log4j vulnerabilities and OpenStack
fungi at yuggoth.org
Mon Jan 10 17:15:23 UTC 2022
On 2022-01-10 18:10:19 +0100 (+0100), Pierre Riteau wrote:
> For CentOS images, this is bundled into elasticsearch-oss-7.10.2-1.x86_64:
> Note that according to Elastic, this version is not vulnerable thanks
> to the use of the Java Security Manager.
Thanks! Was there a public statement from Elastic to that effect, so
that we can point users at it if they have questions?
At this point a lot of enterprises are ripping out or shutting down
anything which can't be upgraded to Log4j 2.17.1, due in part to the
mixed messages about which older versions are actually impacted and
which workarounds can mitigate it.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 963 bytes
Desc: not available
More information about the openstack-discuss