[cloudkitty][kolla][monasca][neutron][oslo][security-sig] Log4j vulnerabilities and OpenStack

Jeremy Stanley fungi at yuggoth.org
Thu Jan 13 18:44:15 UTC 2022 

Thanks to the excellent feedback from Radosław Piliszek and Pierre
Riteau, the list of things for operators to look out for has grown a
bit. Is anyone else aware of other, similar situations where
OpenStack is commonly installed alongside Java software using Log4j
in vulnerable ways? I think this list is becoming extensive enough
we could consider publishing it in a security note (OSSN)...

Kolla-Ansible Central Logging
-----------------------------

If you're deploying with Kolla-Ansible and have enabled central
logging, then it's installing a copy of Elasticsearch (7.13.4
currently, which includes Log4j 2.11.1). According to a statement
from Elastic's developers, the relevant risks can be mitigated by
passing "-Dlog4j2.formatMsgNoLookups=true" on the JVM's command
line. All images built after December 21, 2021 have this workaround
applied, with the exception of images for Train which did not get
that patch merged until January 7, 2021. The statement from Elastic
about the workaround can be found here:
https://xeraa.net/blog/2021_mitigate-log4j2-log4shell-elasticsearch/

CloudKitty, Monasca, and OSProfiler
-----------------------------------

If you're deploying CloudKitty, Monasca, or OSProfiler, you may be
using Elasticsearch as a storage back-end for these services. Make
sure you update it or put a suitable mitigation in place. Anyone
deploying one or more of these services with Kolla-Ansible is
running Elasticsearch, but should be covered so long as they update
to the latest available images for their release series, as noted
above.

Networking-ODL
--------------

Neutron's Networking-ODL driver relies on the Java-based
OpenDaylight service, which should be updated if used:
https://access.redhat.com/solutions/6586821

SUSE OpenStack
--------------

The "storm" component of SUSE OpenStack seems to be impacted:
https://www.suse.com/c/suse-statement-on-log4j-log4shell-cve-2021-44228-vulnerability/

Sovereign Cloud Stack
---------------------

An Elasticsearch component in Sovereign Cloud Stack is affected:
https://scs.community/security/2021/12/13/advisory-log4j/

-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220113/7c1c3878/attachment.sig>

More information about the openstack-discuss mailing list