Uploaded image for project: 'Configuration Persistence Service'
  1. Configuration Persistence Service
  2. CPS-820

Address log4j vulnerability

XMLWordPrintable

      this vulnerability applies to Java 11 as well if you’re using log4j. 

        The good news is the remediation is pretty simple - either :

      set the shell variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true   OR

      set Java system property log4j2.formatMsgNoLookups=true)

       

      Scope

      • CPS-NCMP (CPS-Core)
      • DMI-Plugin
      • CPS-Temporal
      • CPS-TBDMT

       

      Approach:

      1. Update versions of log4j and exclude existing dependencies  https://gerrit.onap.org/r/c/policy/parent/+/126234/1/integration/pom.xml
      2. Drop back to previous version

      Possibly contact liamfallon to see how they handled it

      "ONAP community, Please note that this vulnerability also exists in OpenDaylight Silicon SR2, which is currently being used in our Istanbul and Jakarta releases [1].  This can be remediated by adding the following to the JAVA_OPTS environment variable setting:

                      -Dlog4j2.formatMsgNoLookups=True

      In SDNC and CCSDK, we are tracking this issue with Jira CCSDK-3556.  The following Gerrit review applies the remediation changes to the SDNC helm charts:

      https://gerrit.onap.org/r/c/oom/+/126226 

      Dan"

            ToineSiebelink Toine Siebelink
            ToineSiebelink Toine Siebelink
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: