On Thu, 13 Jan 2022 at 22:30, Jeremy Stanley <fungi at yuggoth.org> wrote: > > On 2022-01-13 22:17:43 +0100 (+0100), Pierre Riteau wrote: > [...] > > This part has several issues: > [...] > > Thanks for the detailed breakdown! I'll try to come up with a > summary which retains accuracy while focusing on actionable > recommendations, though I'll need to go over it a few more times and > think on it for a bit before I can put together a new draft. > > > - Storm: possibly vulnerable? Pull requests in github.com/apache/storm > > have bumped Log4j versions, but no new release has been issued yet. > > Kolla uses version 1.2.2. I am looking at adding a mitigation for > > CVE-2021-45046 based on removing the JndiLookup class from the > > classpath. > [...] > > Could that be the same as this? I believe so. This lead me to [1] and [2] which have more details. SUSE opted to remove the JndiLookup class from log4j 2.x jars during build. I've actually already submitted a Kolla patch to apply the same mitigation: https://review.opendev.org/c/openstack/kolla/+/824651 [1] https://lists.suse.com/pipermail/sle-security-updates/2021-December/009911.html [2] https://bugzilla.suse.com/show_bug.cgi?id=1193641 > > > SUSE OpenStack > > > -------------- > > > > > > The "storm" component of SUSE OpenStack seems to be impacted: > > > https://www.suse.com/c/suse-statement-on-log4j-log4shell-cve-2021-44228-vulnerability/ > [...] > > -- > Jeremy Stanley