On 13. 12. 2021, at 14:04, Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:

On Mon, Dec 13, 2021 at 1:38 PM Sandro Bonazzola <sbonazzo@redhat.com> wrote:
So far we can't confirm whether oVirt engine systems are affected or not: the oVirt infra team is digging into this.
I can confirm that ovirt-engine-wildfly is shipping a log4j version which is affected by the vulnerability and we are monitoring Wildfly project so we'll be able to ship an update as soon as a fix will be available (we are just repackaging the binary build they provide).
But I got no report so far confirming if the way we run Wildfly exposes the vulnerable system to potential attackers yet.

We concluded the investigation and we believe we are not affected, while a vulnerable log4j is being shipped (and will be fixed by wildfly/jboss) we are not using this functionality in any of or components.

If I understood correctly reading here:
https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell

you are protected by the RCE if java is 1.8 and greater than 1.8.121 (released on 2017)

"
If the server has Java runtimes later than 8u121, then it is protected against remote code execution by defaulting “com.sun.jndi.rmi.object.trustURLCodebase” and “com.sun.jndi.cosnaming.object.trustURLCodebase” to “false”(see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html).
"

It is not clear to me if it means that Java 11 (and 17) also maintained that setting.
In one of my oVirt with 4.4.8 it seems that engine is using java-11-openjdk-headless-11.0.12.0.7-0.el8_4.x86_64 package

Gianluca

_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/WH3WZLRM6NYC7MJVWSTA4LY5YWDF57VW/