Hi,
no, I am not sure :)
but if it's only the log4j-api package it should not be vulnerable either:
But I am guessing for a real answer you need to wait for a maintainer of
the package :)
Greetings
Klaas
On 12/12/21 15:48, Kapetanakis Giannis wrote:
Are you sure?
lsof -n -P |grep log4j
java 2977 892943 EE-Manage ovirt 213r
REG 253,0 301418 2071533
/usr/share/ovirt-engine-wildfly/modules/system/layers/base/org/apache/logging/log4j/api/main/log4j-api-2.14.0.jar
seems vulnerable to me.
ovirt 2977 1.1 11.9 3955136 1954500 ? Sl Dec03 157:37
ovirt-engine --add-modules java.se -server -XX:+TieredCompilation
-Xms1462M -Xmx1462M -Xss1M -Djava.awt.headless=true
-Dsun.rmi.dgc.client.gcInterval=3600000
-Dsun.rmi.dgc.server.gcInterval=3600000
-Djsse.enableSNIExtension=false -Dresteasy.preferJacksonOverJsonB=true
-Djackson.deserialization.whitelist.packages=org,com,java,javax
-Dcom.redhat.fips=false -XX:+HeapDumpOnOutOfMemoryError
-XX:HeapDumpPath=/var/log/ovirt-engine/dump
-Djava.util.logging.manager=org.jboss.logmanager
-Dlogging.configuration=file:///var/lib/ovirt-engine/jboss_runtime/config/ovirt-engine-logging.properties
-Dorg.jboss.resolver.warning=true
-Djboss.modules.system.pkgs=org.jboss.byteman
-Djboss.server.default.config=ovirt-engine
-Djboss.home.dir=/usr/share/ovirt-engine-wildfly
-Djboss.server.base.dir=/usr/share/ovirt-engine
-Djboss.server.data.dir=/var/lib/ovirt-engine
-Djboss.server.log.dir=/var/log/ovirt-engine
-Djboss.server.config.dir=/var/lib/ovirt-engine/jboss_runtime/config
-Djboss.server.temp.dir=/var/lib/ovirt-engine/jboss_runtime/tmp
-Djboss.controller.temp.dir=/var/lib/ovirt-engine/jboss_runtime/tmp
-jar /usr/share/ovirt-engine-wildfly/jboss-modules.jar -mp
/usr/share/ovirt-engine-wildfly-overlay/modules:/usr/share/ovirt-engine/modules/common:/usr/share/ovirt-engine-extension-aaa-jdbc/modules:/usr/share/ovirt-engine-extension-aaa-ldap/modules:/usr/share/ovirt-engine-wildfly/modules
-jaxpmodule javax.xml.jaxp-provider org.jboss.as.standalone -c
ovirt-engine.xml
rpm -qf
/usr/share/ovirt-engine-wildfly/modules/system/layers/base/org/apache/logging/log4j/api/main/log4j-api-2.14.0.jar
ovirt-engine-wildfly-23.0.2-1.el8.x86_64
I believe we should start engine with -Dlog4j2.formatMsgNoLookups=true
for mitigation but I cannot find where to apply this for jboss.
maybe directly in
/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.py
somewhere in _engineArgs
G
On 12/12/2021 10:25, Klaas Demter wrote:
>
> Hi,
>
> I think this only affects between 2.0 <= and <= 2.14.1
> (
https://bugzilla.redhat.com/show_bug.cgi?id=2030932)
>
> ovirt engine uses 1.2.17
>
>
> So I don't think this hits ovirt 4.4
>
>
> Greetings
>
> Klaas
>
>
> On 12/11/21 22:53, Chris Adams wrote:
>> Can an oVirt developer comment about the log4j vulnerability - is
>> oVirt's use of log4j vulnerable?
>
> _______________________________________________
> Users mailing list --users(a)ovirt.org
> To unsubscribe send an email tousers-leave(a)ovirt.org
> Privacy
Statement:https://www.ovirt.org/privacy-policy.html
> oVirt Code of
Conduct:https://www.ovirt.org/community/about/community-guidelines/
> List
Archives:https://lists.ovirt.org/archives/list/users@ovirt.org/message/TH...
_______________________________________________
Users mailing list --users(a)ovirt.org
To unsubscribe send an email tousers-leave(a)ovirt.org
Privacy
Statement:https://www.ovirt.org/privacy-policy.html
oVirt Code of
Conduct:https://www.ovirt.org/community/about/community-guidelines/
List
Archives:https://lists.ovirt.org/archives/list/users@ovirt.org/message/3W...