[security-sig][kolla] Log4j vulnerabilities and OpenStack

Radosław Piliszek radoslaw.piliszek at gmail.com
Mon Jan 10 17:18:00 UTC 2022


On Mon, 10 Jan 2022 at 18:15, Jeremy Stanley <fungi at yuggoth.org> wrote:
>
> On 2022-01-10 18:10:19 +0100 (+0100), Pierre Riteau wrote:
> [...]
> > For CentOS images, this is bundled into elasticsearch-oss-7.10.2-1.x86_64:
> >
> > /usr/share/elasticsearch/lib/log4j-api-2.11.1.jar
> > /usr/share/elasticsearch/lib/log4j-core-2.11.1.jar
> >
> > Note that according to Elastic, this version is not vulnerable thanks
> > to the use of the Java Security Manager.
>
> Thanks! Was there a public statement from Elastic to that effect, so
> that we can point users at it if they have questions?

https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

-yoctozepto

> At this point a lot of enterprises are ripping out or shutting down
> anything which can't be upgraded to Log4j 2.17.1, due in part to the
> mixed messages about which older versions are actually impacted and
> which workarounds can mitigate it.
> --
> Jeremy Stanley



More information about the openstack-discuss mailing list