On Mon, Dec 13, 2021 at 11:43 AM David Ecker <da...@ecker-software.de> wrote: > > Thanks, > > one system less to fix. >
We have not identified log4j-core as used at runtime as part of Camel K. We may have missed something. log4j is used during testing camel and camel-k-runtime itself for camel-k-runtime we only used it during testing, but have completely removed in for next release https://github.com/apache/camel-k-runtime/commit/df1608055e0f94f923a24cde27b29ad3be1a6a11 The logging systems that are used at runtime, camel-k and the builder pod are quarkus and maven. Both of them do not use log4j, but jboss-logging and slf4j simple logging. The next round of LTS release of apache camel will upgrade to log4j 2.15.0 that has the CVE fix. But we are only using log4j during testing. But nevertheless it gives some reassurance that anyhow log4j is used then its the fixed version. > bye > David > > On 12/13/21 11:40 AM, Claus Ibsen wrote: > > On Mon, Dec 13, 2021 at 11:37 AM David Ecker <da...@ecker-software.de> > > wrote: > >> Hi Claus, > >> > >> the information is from Red Hat, if I understood it correctly: > >> > >> https://access.redhat.com/security/vulnerabilities/RHSB-2021-009 > >> > > Their product and upstream Camel K are not 100% identical. > > > > > >> bye > >> David > >> > >> On 12/13/21 11:32 AM, Claus Ibsen wrote: > >>> On Mon, Dec 13, 2021 at 10:45 AM David Ecker <da...@ecker-software.de> > >>> wrote: > >>>> Hi, > >>>> > >>>> since it looks like camel/camel-k is directly affected by the > >>>> vulnerability; Is a patch or a workaround for camel-k already available? > >>>> > >>> Where do you think that? > >>> > >>> camel-k runs on quarkus that is not affected. Camel is a library that > >>> do not use log4j - we use slf4j-api as logging abstraction. > >>> the builder pod for camel-k is using apache maven, which uses the > >>> simpler logging from slf4j. > >>> > >>> not sure where you think log4j-core is active in use in camel-k. > >>> > >>> A blot post is in draft at > >>> https://github.com/apache/camel-website/pull/714 > >>> > >>>> Thanks, > >>>> David > >>> > > > -- Claus Ibsen ----------------- http://davsclaus.com @davsclaus Camel in Action 2: https://www.manning.com/ibsen2
