> On 13. 12. 2021, at 14:04, Gianluca Cecchi <gianluca.cec...@gmail.com> wrote: > > On Mon, Dec 13, 2021 at 1:38 PM Sandro Bonazzola <sbona...@redhat.com > <mailto:sbona...@redhat.com>> wrote: > So far we can't confirm whether oVirt engine systems are affected or not: the > oVirt infra team is digging into this. > I can confirm that ovirt-engine-wildfly is shipping a log4j version which is > affected by the vulnerability and we are monitoring Wildfly project so we'll > be able to ship an update as soon as a fix will be available (we are just > repackaging the binary build they provide). > But I got no report so far confirming if the way we run Wildfly exposes the > vulnerable system to potential attackers yet.
We concluded the investigation and we believe we are not affected, while a vulnerable log4j is being shipped (and will be fixed by wildfly/jboss) we are not using this functionality in any of or components. Wildfly reimplements log4j and we use that instead, all other usage is in compile time, unit tests. We also use log4j 1.x but without the JMSAppender in runtime. Thanks to MartinP for confirmation Thanks, michal > > > > If I understood correctly reading here: > https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell > > <https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell> > > you are protected by the RCE if java is 1.8 and greater than 1.8.121 > (released on 2017) > > " > If the server has Java runtimes later than 8u121, then it is protected > against remote code execution by defaulting > “com.sun.jndi.rmi.object.trustURLCodebase” and > “com.sun.jndi.cosnaming.object.trustURLCodebase” to “false”(see > https://www.oracle.com/java/technologies/javase/8u121-relnotes.html > <https://www.oracle.com/java/technologies/javase/8u121-relnotes.html>). > " > > It is not clear to me if it means that Java 11 (and 17) also maintained that > setting. > In one of my oVirt with 4.4.8 it seems that engine is using > java-11-openjdk-headless-11.0.12.0.7-0.el8_4.x86_64 package > > Gianluca > _______________________________________________ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/WH3WZLRM6NYC7MJVWSTA4LY5YWDF57VW/
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/GHGNV72UMH2IK5USAK7NJDK2KL7NZHFY/
