[FOLIO-3363] Update reference deployments in light of log4j remote execution CVE-2021-44228 Created: 10/Dec/21  Updated: 31/Jan/22  Resolved: 31/Jan/22

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Bug Priority: TBD
Reporter: Wayne Schneider Assignee: Wayne Schneider
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Defines
defines SECURITY-6 Log4j vulnerability CVE-2021-4428 is ... Completed
Relates
relates to FOLIO-3364 Update everything to log4j >= 2.16.0 ... Closed
Sprint: DevOps Sprint 130, DevOps Sprint 131, DevOps sprint 132, DevOps Sprint 129
Development Team: FOLIO DevOps

 Description   

A zero-day remote code execution exploit has been reporting affecting log4j2, used widely in FOLIO modules and Okapi.

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://www.lunasec.io/docs/blog/log4j-zero-day/

Reference deployments will need to be updated to mitigate the risk of DOS (other risks are not so large in these ephemeral systems).



 Comments   
Comment by Craig McNally [ 20/Jan/22 ]

Wayne Schneider, John Malconian is there anything that still needs to happen here, or can this be closed?

Comment by Wayne Schneider [ 27/Jan/22 ]

For safety's sake, setting LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable globally for all modules spawned by Okapi and in the edge-modules playbook.

Comment by Wayne Schneider [ 28/Jan/22 ]

Successful test with folio-snapshot-test. Overnight builds should pick up the changes.

Comment by Wayne Schneider [ 31/Jan/22 ]

Changes validated on reference environments.

Generated at Thu Feb 08 23:27:32 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.