[ovirt-users] Re: oVirt and log4j vulnerability

On Mon, Dec 13, 2021 at 2:46 PM Derek Atkins wrote: > > On Mon, December 13, 2021 8:04 am, Gianluca Cecchi wrote: > >> > > If I understood correctly reading here: > > > https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell > > >

[ovirt-users] Re: oVirt and log4j vulnerability

On Mon, Dec 13, 2021 at 2:37 PM Derek Atkins wrote: > > On Mon, December 13, 2021 8:04 am, Gianluca Cecchi wrote: > >> > > If I understood correctly reading here: > > > https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell > > >

[ovirt-users] Re: oVirt and log4j vulnerability

On Mon, December 13, 2021 8:04 am, Gianluca Cecchi wrote: >> > If I understood correctly reading here: > https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell > > you are protected by the RCE if java is 1.8 and greater than

[ovirt-users] Re: oVirt and log4j vulnerability

Once upon a time, Michal Skrivanek said: > We concluded the investigation and we believe we are not affected, while a > vulnerable log4j is being shipped (and will be fixed by wildfly/jboss) we are > not using this functionality in any of or components. > Wildfly reimplements log4j and we use

[ovirt-users] Re: oVirt and log4j vulnerability

> On 13. 12. 2021, at 14:04, Gianluca Cecchi wrote: > > On Mon, Dec 13, 2021 at 1:38 PM Sandro Bonazzola > wrote: > So far we can't confirm whether oVirt engine systems are affected or not: the > oVirt infra team is digging into this. > I can confirm that

[ovirt-users] Re: oVirt and log4j vulnerability

On Mon, Dec 13, 2021 at 1:38 PM Sandro Bonazzola wrote: > So far we can't confirm whether oVirt engine systems are affected or not: > the oVirt infra team is digging into this. > I can confirm that ovirt-engine-wildfly is shipping a log4j version which > is affected by the vulnerability and we

[ovirt-users] Re: oVirt and log4j vulnerability

So far we can't confirm whether oVirt engine systems are affected or not: the oVirt infra team is digging into this. I can confirm that ovirt-engine-wildfly is shipping a log4j version which is affected by the vulnerability and we are monitoring Wildfly project so we'll be able to ship an update

[ovirt-users] Re: oVirt and log4j vulnerability

Hi, no, I am not sure :) but if it's only the log4j-api package it should not be vulnerable either: https://issues.apache.org/jira/browse/LOG4J2-3201?focusedCommentId=17456962=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17456962 But I am guessing for a real

[ovirt-users] Re: oVirt and log4j vulnerability

Are you sure? lsof -n -P |grep log4j java    2977 892943 EE-Manage   ovirt  213r  REG  253,0 301418    2071533 /usr/share/ovirt-engine-wildfly/modules/system/layers/base/org/apache/logging/log4j/api/main/log4j-api-2.14.0.jar seems vulnerable to me. ovirt  

[ovirt-users] Re: oVirt and log4j vulnerability

Hi, I think this only affects between 2.0 <= and <= 2.14.1 (https://bugzilla.redhat.com/show_bug.cgi?id=2030932) ovirt engine uses 1.2.17 So I don't think this hits ovirt 4.4 Greetings Klaas On 12/11/21 22:53, Chris Adams wrote: Can an oVirt developer comment about the log4j