Dear ONAP Community,
A new Zero day vulnerability has been identified impacting nearly all Apache software versions where the logging package named Log4j between versions 2.0 through 2.14 and allows REMOTE attackers to add malicious code and then execute this code. This is an extremely dangerous vulnerability that can allow attackers the ability to take control of a server. If the application has been upgraded to Java 11, it should not be a problem. Additional information can be found here: URGENT: Analysis and Remediation Guidance to the Log4j Zero-Day RCE... (veracode.com)<https://www.veracode.com/blog/security-news/urgent-analysis-and-remediation-guidance-log4j-zero-day-rce-cve-2021-44228> Due to severity, I highly recommend that all the projects teams should remediate immediately for Istanbul and for Jakarta. This topic will also be discussed on 12/15 (next TSC call). CALL TO ACTION - All ONAP Project teams need to check logging framework to identify whether they use Apache Log4j2 versions 2.0 through 2.14. If this is found, immediately take one of the following mitigation steps: Please note, these actions may require a reboot. Complete one of these options now Mitigation steps - * This mitigation is only available for versions between 2.10 and 2.14 * Option 1 - Set system property "log4j2.formatMsgNoLookups" to "true" * This mitigation action is available for version 2.0 through version 2.14 * Option 2 - remove JndiLookup class from the classpath Patching fix Remediation action - * For versions between 2.0 to 2.14 update Log4j package to version 2.15.0 Best regards, Catherine Catherine Lefèvre AVP Software Development & Engineering AT&T Technology Services - Network Systems Common Platform & Services ONAP TSC Chair [cid:image001.png@01D7F03F.7AB7F100] Phone: +32 2 418 49 22 Mobile: +32 475 77 36 73 catherine.lefe...@intl.att.com<mailto:catherine.lefe...@intl.att.com> TEXTING and DRIVING... It Can Wait AT&T BUROGEST OFFICE PARK SA Avenue des Dessus-de-Lives, 2 5101 Loyers (Namur) Belgium [cid:image002.jpg@01D7F03F.7AB7F100] NOTE: This email (or its attachments) contains information belonging to the sender, which may be confidential. proprietary and/or legally privileged. The information is intended only for the use of the individual(s) or entity(ies) named above. If you are not the intended recipient, you are hereby notified that any disclosure, distribution or taking of any action in reliance on the content of this is strictly forbidden. If you have received this e-mail in error please immediately notify the sender identified above. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#8341): https://lists.onap.org/g/onap-tsc/message/8341 Mute This Topic: https://lists.onap.org/mt/87700194/21656 Group Owner: onap-tsc+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/21656/1412191262/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
