[ovirt-users] Re: oVirt and log4j vulnerability
On Mon, Dec 13, 2021 at 1:38 PM Sandro Bonazzola <sbonazzo(a)redhat.com>
wrote:
So far we can't confirm whether oVirt engine systems are affected
or not:
the oVirt infra team is digging into this.
I can confirm that ovirt-engine-wildfly is shipping a log4j version which
is affected by the vulnerability and we are monitoring Wildfly project so
we'll be able to ship an update as soon as a fix will be available (we are
just repackaging the binary build they provide).
But I got no report so far confirming if the way we run Wildfly exposes
the vulnerable system to potential attackers yet.
If I understood correctly reading here:
https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache...
you are protected by the RCE if java is 1.8 and greater than 1.8.121
(released on 2017)
"
If the server has Java runtimes later than 8u121, then it is protected
against remote code execution by defaulting
“com.sun.jndi.rmi.object.trustURLCodebase” and
“com.sun.jndi.cosnaming.object.trustURLCodebase” to “false”(see
https://www.oracle.com/java/technologies/javase/8u121-relnotes.html).
"
It is not clear to me if it means that Java 11 (and 17) also maintained
that setting.
In one of my oVirt with 4.4.8 it seems that engine is using
java-11-openjdk-headless-11.0.12.0.7-0.el8_4.x86_64 package
Gianluca
Attachments:
- attachment.html (text/html — 2.1 KB)