[security-sig][kolla] Log4j vulnerabilities and OpenStack

Jeremy Stanley fungi at yuggoth.org
Mon Jan 10 17:15:23 UTC 2022

On 2022-01-10 18:10:19 +0100 (+0100), Pierre Riteau wrote:
> For CentOS images, this is bundled into elasticsearch-oss-7.10.2-1.x86_64:
> /usr/share/elasticsearch/lib/log4j-api-2.11.1.jar
> /usr/share/elasticsearch/lib/log4j-core-2.11.1.jar
> Note that according to Elastic, this version is not vulnerable thanks
> to the use of the Java Security Manager.

Thanks! Was there a public statement from Elastic to that effect, so
that we can point users at it if they have questions?

At this point a lot of enterprises are ripping out or shutting down
anything which can't be upgraded to Log4j 2.17.1, due in part to the
mixed messages about which older versions are actually impacted and
which workarounds can mitigate it.
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220110/49fd2db0/attachment.sig>

More information about the openstack-discuss mailing list