Forums

Home / Forums

You need to log in to create posts and topics. Login · Register

Status of Log4j vulnerability

We are having to document vendor statements pertaining to the Log4j RCE CVE-2021-44228 vulnerabilities.

Is Petasan vulnerable to this exploit?

 

Thanks,
Neil

Same question. I can see Java file on PetSan under:
java: /usr/share/java

As its quite urgent. A quick answer will be appreciated.

 

We do not ship log4j in PetaSAN.

What version of PetaSAN are you using ?

Can you show output of:

dpkg -l

dpkg -S /usr/bin/java

dpkg -s petasan | grep Version
Version: 2.8.1

dpkg -S /usr/bin/java
dpkg-query: no path found matching pattern /usr/bin/java
I ran log4jscanner to find more details and it seems the RAID Manager deployed on PetaSAN has Java references:

[INFO] Looking for files containing log4j...
[WARNING] Maybe vulnerable, those files contain the name:
/usr/StorMan/WebContent/config/log4j.xml
/usr/StorMan/WebContent/WEB-INF/lib/log4j-core-2.14.0.jar
/usr/StorMan/WebContent/WEB-INF/lib/log4j2.xml
/usr/StorMan/WebContent/WEB-INF/lib/log4j-api-2.14.0.jar
/usr/StorMan/config/log4j.xml
/usr/StorMan/apache-tomcat/webapps/maxview/config/log4j.xml
/usr/StorMan/apache-tomcat/webapps/maxview/WEB-INF/lib/log4j-core-2.14.0.jar
/usr/StorMan/apache-tomcat/webapps/maxview/WEB-INF/lib/log4j2.xml
/usr/StorMan/apache-tomcat/webapps/maxview/WEB-INF/lib/log4j-api-2.14.0.jar
/usr/StorMan/apache-tomcat/lib/log4j2.xml

 

I guess that clears the issue and do appreciate the confirmation that PetaSan doesnt ship with log4j.

Regards,