[cloudkitty][kolla][monasca][neutron][oslo][security-sig] Log4j vulnerabilities and OpenStack

Jeremy Stanley fungi at yuggoth.org
Thu Jan 13 21:26:24 UTC 2022

On 2022-01-13 22:17:43 +0100 (+0100), Pierre Riteau wrote:
> This part has several issues:

Thanks for the detailed breakdown! I'll try to come up with a
summary which retains accuracy while focusing on actionable
recommendations, though I'll need to go over it a few more times and
think on it for a bit before I can put together a new draft.

> - Storm: possibly vulnerable? Pull requests in github.com/apache/storm
> have bumped Log4j versions, but no new release has been issued yet.
> Kolla uses version 1.2.2. I am looking at adding a mitigation for
> CVE-2021-45046 based on removing the JndiLookup class from the
> classpath.

Could that be the same as this?

> > SUSE OpenStack
> > --------------
> >
> > The "storm" component of SUSE OpenStack seems to be impacted:
> > https://www.suse.com/c/suse-statement-on-log4j-log4shell-cve-2021-44228-vulnerability/

Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220113/fa73ca5a/attachment.sig>

More information about the openstack-discuss mailing list