[security-sig][kolla] Log4j vulnerabilities and OpenStack
pierre at stackhpc.com
Mon Jan 10 17:19:46 UTC 2022
On Mon, 10 Jan 2022 at 18:18, Jeremy Stanley <fungi at yuggoth.org> wrote:
> On 2022-01-10 18:10:19 +0100 (+0100), Pierre Riteau wrote:
> > For CentOS images, this is bundled into elasticsearch-oss-7.10.2-1.x86_64:
> > /usr/share/elasticsearch/lib/log4j-api-2.11.1.jar
> > /usr/share/elasticsearch/lib/log4j-core-2.11.1.jar
> > Note that according to Elastic, this version is not vulnerable thanks
> > to the use of the Java Security Manager.
> Thanks! Was there a public statement from Elastic to that effect, so
> that we can point users at it if they have questions?
> At this point a lot of enterprises are ripping out or shutting down
> anything which can't be upgraded to Log4j 2.17.1, due in part to the
> mixed messages about which older versions are actually impacted and
> which workarounds can mitigate it.
> Jeremy Stanley
More information about the openstack-discuss