Uploaded image for project: 'Configuration Persistence Service'
  1. Configuration Persistence Service
  2. CPS-820

Address log4j vulnerability

    XMLWordPrintable

Details

    Description

      this vulnerability applies to Java 11 as well if you’re using log4j. 

        The good news is the remediation is pretty simple - either :

      set the shell variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true   OR

      set Java system property log4j2.formatMsgNoLookups=true)

       

      Scope

      • CPS-NCMP (CPS-Core)
      • DMI-Plugin
      • CPS-Temporal
      • CPS-TBDMT

       

      Approach:

      1. Update versions of log4j and exclude existing dependencies  https://gerrit.onap.org/r/c/policy/parent/+/126234/1/integration/pom.xml
      2. Drop back to previous version

      Possibly contact liamfallon to see how they handled it

      "ONAP community, Please note that this vulnerability also exists in OpenDaylight Silicon SR2, which is currently being used in our Istanbul and Jakarta releases [1].  This can be remediated by adding the following to the JAVA_OPTS environment variable setting:

                      -Dlog4j2.formatMsgNoLookups=True

      In SDNC and CCSDK, we are tracking this issue with Jira CCSDK-3556.  The following Gerrit review applies the remediation changes to the SDNC helm charts:

      https://gerrit.onap.org/r/c/oom/+/126226 

      Dan"

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. CPS-827 Remove explicit dependency on log4j 2.16.0

          • Medium - Failure of non-critical aspects of the system but results in an inconvenient situation. It causes some undesirable behavior, but the system is still functional. There is a reasonably satisfactory workaround. It is still a valid defect that should be corrected May be fixed after the release or in the next release.
          • Closed

          Task - A task that needs to be done. CPS-841 Upgrade log4j to 2.17.1

          • Medium - Failure of non-critical aspects of the system but results in an inconvenient situation. It causes some undesirable behavior, but the system is still functional. There is a reasonably satisfactory workaround. It is still a valid defect that should be corrected May be fixed after the release or in the next release.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              ToineSiebelink Toine Siebelink
              ToineSiebelink Toine Siebelink
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: