[FOLIO-3363] Update reference deployments in light of log4j remote execution CVE-2021-44228 Created: 10/Dec/21 Updated: 31/Jan/22 Resolved: 31/Jan/22 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Bug | Priority: | TBD |
| Reporter: | Wayne Schneider | Assignee: | Wayne Schneider |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||||||||||
| Sprint: | DevOps Sprint 130, DevOps Sprint 131, DevOps sprint 132, DevOps Sprint 129 | ||||||||||||||||
| Development Team: | FOLIO DevOps | ||||||||||||||||
| Description |
|
A zero-day remote code execution exploit has been reporting affecting log4j2, used widely in FOLIO modules and Okapi. References: Reference deployments will need to be updated to mitigate the risk of DOS (other risks are not so large in these ephemeral systems). |
| Comments |
| Comment by Craig McNally [ 20/Jan/22 ] |
|
Wayne Schneider, John Malconian is there anything that still needs to happen here, or can this be closed? |
| Comment by Wayne Schneider [ 27/Jan/22 ] |
|
For safety's sake, setting LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable globally for all modules spawned by Okapi and in the edge-modules playbook. |
| Comment by Wayne Schneider [ 28/Jan/22 ] |
|
Successful test with folio-snapshot-test. Overnight builds should pick up the changes. |
| Comment by Wayne Schneider [ 31/Jan/22 ] |
|
Changes validated on reference environments. |