[ovirt-users] Re: oVirt and log4j vulnerability
On Mon, Dec 13, 2021 at 2:37 PM Derek Atkins <derek(a)ihtfp.com> wrote:
On Mon, December 13, 2021 8:04 am, Gianluca Cecchi wrote:
>>
> If I understood correctly reading here:
>
https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache...
>
> you are protected by the RCE if java is 1.8 and greater than 1.8.121
> (released on 2017)
Do you mean 1.8.0.121? For example, my system has:
java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.x86_64
-derek
Yes, what the link refers to as 8u121:
https://www.oracle.com/java/technologies/javase/8u121-relnotes.html
Your version: 8u252 (or anyway based on it).
On my 4.4.8 engine I have
java-1.8.0-openjdk-headless-1.8.0.302.b08-0.el8_4.x86_64 but I have also
java-11-openjdk-headless-11.0.12.0.7-0.el8_4.x86_64 that is what
ovirt-engine uses, based on:
[root@ovmgr1 ovirt-engine]# ll /proc/$(pidof ovirt-engine)/fd | grep jvm
lr-x------. 1 ovirt ovirt 64 Sep 24 09:02 3 ->
/usr/lib/jvm/java-11-openjdk-11.0.12.0.7-0.el8_4.x86_64/lib/modules
[root@ovmgr1 ovirt-engine]#
Gianluca
Attachments:
- attachment.html (text/html — 1.8 KB)