12:16 a.m.
Hi Team ,
Could you please let me know if FreeIPA version 4.6.8 is being impacted
with CVE-2021-44228 log4j2 Vulnerability ? and if Yes , what changes can be
applied to remediate it ?
12:36 a.m.
New subject: CVE-2021-44228 log4j2 Vulnerbility | FreeIPA version 4.6.8
Below are the log4J jar i can see on my server where freeIPA 4.6.8 is being installed. Are
these related to freeIPA ?
sudo find / -xdev -type f -name '*log4j*.jar'
/usr/share/java/log4j.jar
/usr/share/java/slf4j/log4j-over-slf4j.jar
/usr/share/java/slf4j/slf4j-log4j12.jar
/opt/minion/system/org/ops4j/pax/logging/pax-logging-log4j2/1.10.2/pax-logging-log4j2-1.10.2.jar
1 a.m.
New subject: CVE-2021-44228 log4j2 Vulnerbility | FreeIPA version 4.6.8
dunno.... but since it's part of rhel you could check out
https://access.redhat.com/security/cve/cve-2021-44228
Op ma 13 dec. 2021 om 07:36 schreef GAURAV Pande via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org>:
Below are the log4J jar i can see on my server where freeIPA 4.6.8
is
being installed. Are these related to freeIPA ?
sudo find / -xdev -type f -name '*log4j*.jar'
/usr/share/java/log4j.jar
/usr/share/java/slf4j/log4j-over-slf4j.jar
/usr/share/java/slf4j/slf4j-log4j12.jar
/opt/minion/system/org/ops4j/pax/logging/pax-logging-log4j2/1.10.2/pax-logging-log4j2-1.10.2.jar
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
1:07 a.m.
New subject: CVE-2021-44228 log4j2 Vulnerbility | FreeIPA version 4.6.8
On ma, 13 joulu 2021, GAURAV Pande via FreeIPA-users wrote:
Hi Team ,
Could you please let me know if FreeIPA version 4.6.8 is being impacted
with CVE-2021-44228 log4j2 Vulnerability ? and if Yes , what changes can be
applied to remediate it ?
FreeIPA itself does not have Java components. pki-ca does, so the
question would rather be for PKI mailing list.
Please do not duplicate threads, there is already one for this
discussion.
If you are using web-interface to look at the freeipa-users@ mailing
list, please also do not forged about proper quoting to what you
respond.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
1:12 a.m.
New subject: CVE-2021-44228 log4j2 Vulnerbility | FreeIPA version 4.6.8
Shouldn’t it be up to the solution provider to answer this question rather than leave it
up to the user?
pki is part of freeipa, it’s not my choice to install it.
We will check over at pki-ca anyway.
Thanks
>
> On 13 Dec 2021, at 08:08, Alexander Bokovoy via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
>
> On ma, 13 joulu 2021, GAURAV Pande via FreeIPA-users wrote:
>> Hi Team ,
>> Could you please let me know if FreeIPA version 4.6.8 is being impacted
>> with CVE-2021-44228 log4j2 Vulnerability ? and if Yes , what changes can be
>> applied to remediate it ?
>
> FreeIPA itself does not have Java components. pki-ca does, so the
> question would rather be for PKI mailing list.
>
> Please do not duplicate threads, there is already one for this
> discussion.
>
> If you are using web-interface to look at the freeipa-users@ mailing
> list, please also do not forged about proper quoting to what you
> respond.
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
1:32 a.m.
New subject: CVE-2021-44228 log4j2 Vulnerbility | FreeIPA version 4.6.8
On ma, 13 joulu 2021, Christophe Trefois wrote:
Shouldn’t it be up to the solution provider to answer this question
rather than leave it up to the user?
pki is part of freeipa, it’s not my choice to install it.
We will check over at pki-ca anyway.
See my other response in the thread which came first. I think we are not
affected at all because by default Dogtag does not use log4j in all
supported distributions.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
1:39 a.m.
New subject: CVE-2021-44228 log4j2 Vulnerbility | FreeIPA version 4.6.8
Gotcha. The replies came in in parallel.
Thanks for the details Alexander !
Sent from my iPhone
Team Leader R3
> On 13 Dec 2021, at 08:32, Alexander Bokovoy <abokovoy(a)redhat.com> wrote:
>
> On ma, 13 joulu 2021, Christophe Trefois wrote:
>> Shouldn’t it be up to the solution provider to answer this question rather than
leave it up to the user?
>>
>> pki is part of freeipa, it’s not my choice to install it.
>>
>> We will check over at pki-ca anyway.
>
> See my other response in the thread which came first. I think we are not
> affected at all because by default Dogtag does not use log4j in all
> supported distributions.
>
>
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
858
days inactive
858
days old
freeipa-users@lists.fedorahosted.org
6 comments
4 participants
participants (4)
-
Alexander Bokovoy -
Christophe Trefois -
GAURAV Pande -
Rob Verduijn