On Mon, Dec 13, 2021 at 1:38 PM Sandro Bonazzola <sbonazzo@redhat.com> wrote:
So far we can't confirm whether oVirt engine systems are affected or not: the oVirt infra team is digging into this.
I can confirm that ovirt-engine-wildfly is shipping a log4j version which is affected by the vulnerability and we are monitoring Wildfly project so we'll be able to ship an update as soon as a fix will be available (we are just repackaging the binary build they provide).
But I got no report so far confirming if the way we run Wildfly exposes the vulnerable system to potential attackers yet.



If I understood correctly reading here:
https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell

you are protected by the RCE if java is 1.8 and greater than 1.8.121 (released on 2017)

"
If the server has Java runtimes later than 8u121, then it is protected against remote code execution by defaulting “com.sun.jndi.rmi.object.trustURLCodebase” and “com.sun.jndi.cosnaming.object.trustURLCodebase” to “false”(see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html).
"

It is not clear to me if it means that Java 11 (and 17) also maintained that setting.
In one of my oVirt with 4.4.8 it seems that engine is using java-11-openjdk-headless-11.0.12.0.7-0.el8_4.x86_64 package

Gianluca