On Mon, Dec 13, 2021 at 1:38 PM Sandro Bonazzola <sbona...@redhat.com> wrote:
> So far we can't confirm whether oVirt engine systems are affected or not: > the oVirt infra team is digging into this. > I can confirm that ovirt-engine-wildfly is shipping a log4j version which > is affected by the vulnerability and we are monitoring Wildfly project so > we'll be able to ship an update as soon as a fix will be available (we are > just repackaging the binary build they provide). > But I got no report so far confirming if the way we run Wildfly exposes > the vulnerable system to potential attackers yet. > > > If I understood correctly reading here: https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell you are protected by the RCE if java is 1.8 and greater than 1.8.121 (released on 2017) " If the server has Java runtimes later than 8u121, then it is protected against remote code execution by defaulting “com.sun.jndi.rmi.object.trustURLCodebase” and “com.sun.jndi.cosnaming.object.trustURLCodebase” to “false”(see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html). " It is not clear to me if it means that Java 11 (and 17) also maintained that setting. In one of my oVirt with 4.4.8 it seems that engine is using java-11-openjdk-headless-11.0.12.0.7-0.el8_4.x86_64 package Gianluca
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/WH3WZLRM6NYC7MJVWSTA4LY5YWDF57VW/