[ovirt-users] Re: oVirt and log4j vulnerability

On 13. 12. 2021, at 14:04, Gianluca Cecchi <gianluca.cecchi(a)gmail.com&gt; wrote: On Mon, Dec 13, 2021 at 1:38 PM Sandro Bonazzola <sbonazzo(a)redhat.com <mailto:sbonazzo@redhat.com>> wrote: So far we can't confirm whether oVirt engine systems are affected or not: the oVirt infra team is digging into this. I can confirm that ovirt-engine-wildfly is shipping a log4j version which is affected by the vulnerability and we are monitoring Wildfly project so we'll be able to ship an update as soon as a fix will be available (we are just repackaging the binary build they provide). But I got no report so far confirming if the way we run Wildfly exposes the vulnerable system to potential attackers yet.

If I understood correctly reading here: https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache... <https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache... you are protected by the RCE if java is 1.8 and greater than 1.8.121 (released on 2017) " If the server has Java runtimes later than 8u121, then it is protected against remote code execution by defaulting “com.sun.jndi.rmi.object.trustURLCodebase” and “com.sun.jndi.cosnaming.object.trustURLCodebase” to “false”(see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html <https://www.oracle.com/java/technologies/javase/8u121-relnotes.html>). " It is not clear to me if it means that Java 11 (and 17) also maintained that setting. In one of my oVirt with 4.4.8 it seems that engine is using java-11-openjdk-headless-11.0.12.0.7-0.el8_4.x86_64 package Gianluca _______________________________________________ Users mailing list -- users(a)ovirt.org To unsubscribe send an email to users-leave(a)ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/WH3WZLRM6NY...