Status of Log4j vulnerability
neiltorda
98 Posts
December 16, 2021, 3:13 pmQuote from neiltorda on December 16, 2021, 3:13 pmWe are having to document vendor statements pertaining to the Log4j RCE CVE-2021-44228 vulnerabilities.
Is Petasan vulnerable to this exploit?
Thanks,
Neil
We are having to document vendor statements pertaining to the Log4j RCE CVE-2021-44228 vulnerabilities.
Is Petasan vulnerable to this exploit?
Thanks,
Neil
idar
8 Posts
December 20, 2021, 12:32 pmQuote from idar on December 20, 2021, 12:32 pmSame question. I can see Java file on PetSan under:
java: /usr/share/java
As its quite urgent. A quick answer will be appreciated.
Same question. I can see Java file on PetSan under:
java: /usr/share/java
As its quite urgent. A quick answer will be appreciated.
Last edited on December 20, 2021, 12:32 pm by idar · #2
admin
2,930 Posts
December 20, 2021, 3:50 pmQuote from admin on December 20, 2021, 3:50 pmWe do not ship log4j in PetaSAN.
What version of PetaSAN are you using ?
Can you show output of:
dpkg -l
dpkg -S /usr/bin/java
We do not ship log4j in PetaSAN.
What version of PetaSAN are you using ?
Can you show output of:
dpkg -l
dpkg -S /usr/bin/java
idar
8 Posts
December 20, 2021, 5:17 pmQuote from idar on December 20, 2021, 5:17 pmdpkg -s petasan | grep Version
Version: 2.8.1
dpkg -S /usr/bin/java
dpkg-query: no path found matching pattern /usr/bin/java
I ran log4jscanner to find more details and it seems the RAID Manager deployed on PetaSAN has Java references:
[INFO] Looking for files containing log4j...
[WARNING] Maybe vulnerable, those files contain the name:
/usr/StorMan/WebContent/config/log4j.xml
/usr/StorMan/WebContent/WEB-INF/lib/log4j-core-2.14.0.jar
/usr/StorMan/WebContent/WEB-INF/lib/log4j2.xml
/usr/StorMan/WebContent/WEB-INF/lib/log4j-api-2.14.0.jar
/usr/StorMan/config/log4j.xml
/usr/StorMan/apache-tomcat/webapps/maxview/config/log4j.xml
/usr/StorMan/apache-tomcat/webapps/maxview/WEB-INF/lib/log4j-core-2.14.0.jar
/usr/StorMan/apache-tomcat/webapps/maxview/WEB-INF/lib/log4j2.xml
/usr/StorMan/apache-tomcat/webapps/maxview/WEB-INF/lib/log4j-api-2.14.0.jar
/usr/StorMan/apache-tomcat/lib/log4j2.xml
I guess that clears the issue and do appreciate the confirmation that PetaSan doesnt ship with log4j.
Regards,
dpkg -s petasan | grep Version
Version: 2.8.1
dpkg -S /usr/bin/java
dpkg-query: no path found matching pattern /usr/bin/java
I ran log4jscanner to find more details and it seems the RAID Manager deployed on PetaSAN has Java references:
[INFO] Looking for files containing log4j...
[WARNING] Maybe vulnerable, those files contain the name:
/usr/StorMan/WebContent/config/log4j.xml
/usr/StorMan/WebContent/WEB-INF/lib/log4j-core-2.14.0.jar
/usr/StorMan/WebContent/WEB-INF/lib/log4j2.xml
/usr/StorMan/WebContent/WEB-INF/lib/log4j-api-2.14.0.jar
/usr/StorMan/config/log4j.xml
/usr/StorMan/apache-tomcat/webapps/maxview/config/log4j.xml
/usr/StorMan/apache-tomcat/webapps/maxview/WEB-INF/lib/log4j-core-2.14.0.jar
/usr/StorMan/apache-tomcat/webapps/maxview/WEB-INF/lib/log4j2.xml
/usr/StorMan/apache-tomcat/webapps/maxview/WEB-INF/lib/log4j-api-2.14.0.jar
/usr/StorMan/apache-tomcat/lib/log4j2.xml
I guess that clears the issue and do appreciate the confirmation that PetaSan doesnt ship with log4j.
Regards,
Status of Log4j vulnerability
neiltorda
98 Posts
Quote from neiltorda on December 16, 2021, 3:13 pmWe are having to document vendor statements pertaining to the Log4j RCE CVE-2021-44228 vulnerabilities.
Is Petasan vulnerable to this exploit?
Thanks,
Neil
We are having to document vendor statements pertaining to the Log4j RCE CVE-2021-44228 vulnerabilities.
Is Petasan vulnerable to this exploit?
Thanks,
Neil
idar
8 Posts
Quote from idar on December 20, 2021, 12:32 pmSame question. I can see Java file on PetSan under:
java: /usr/share/javaAs its quite urgent. A quick answer will be appreciated.
Same question. I can see Java file on PetSan under:
java: /usr/share/java
As its quite urgent. A quick answer will be appreciated.
admin
2,930 Posts
Quote from admin on December 20, 2021, 3:50 pmWe do not ship log4j in PetaSAN.
What version of PetaSAN are you using ?
Can you show output of:
dpkg -l
dpkg -S /usr/bin/java
We do not ship log4j in PetaSAN.
What version of PetaSAN are you using ?
Can you show output of:
dpkg -l
dpkg -S /usr/bin/java
idar
8 Posts
Quote from idar on December 20, 2021, 5:17 pmdpkg -s petasan | grep Version
Version: 2.8.1dpkg -S /usr/bin/java
dpkg-query: no path found matching pattern /usr/bin/java
I ran log4jscanner to find more details and it seems the RAID Manager deployed on PetaSAN has Java references:[INFO] Looking for files containing log4j...
[WARNING] Maybe vulnerable, those files contain the name:
/usr/StorMan/WebContent/config/log4j.xml
/usr/StorMan/WebContent/WEB-INF/lib/log4j-core-2.14.0.jar
/usr/StorMan/WebContent/WEB-INF/lib/log4j2.xml
/usr/StorMan/WebContent/WEB-INF/lib/log4j-api-2.14.0.jar
/usr/StorMan/config/log4j.xml
/usr/StorMan/apache-tomcat/webapps/maxview/config/log4j.xml
/usr/StorMan/apache-tomcat/webapps/maxview/WEB-INF/lib/log4j-core-2.14.0.jar
/usr/StorMan/apache-tomcat/webapps/maxview/WEB-INF/lib/log4j2.xml
/usr/StorMan/apache-tomcat/webapps/maxview/WEB-INF/lib/log4j-api-2.14.0.jar
/usr/StorMan/apache-tomcat/lib/log4j2.xml
I guess that clears the issue and do appreciate the confirmation that PetaSan doesnt ship with log4j.
Regards,
dpkg -s petasan | grep Version
Version: 2.8.1
dpkg -S /usr/bin/java
dpkg-query: no path found matching pattern /usr/bin/java
I ran log4jscanner to find more details and it seems the RAID Manager deployed on PetaSAN has Java references:
[INFO] Looking for files containing log4j...
[WARNING] Maybe vulnerable, those files contain the name:
/usr/StorMan/WebContent/config/log4j.xml
/usr/StorMan/WebContent/WEB-INF/lib/log4j-core-2.14.0.jar
/usr/StorMan/WebContent/WEB-INF/lib/log4j2.xml
/usr/StorMan/WebContent/WEB-INF/lib/log4j-api-2.14.0.jar
/usr/StorMan/config/log4j.xml
/usr/StorMan/apache-tomcat/webapps/maxview/config/log4j.xml
/usr/StorMan/apache-tomcat/webapps/maxview/WEB-INF/lib/log4j-core-2.14.0.jar
/usr/StorMan/apache-tomcat/webapps/maxview/WEB-INF/lib/log4j2.xml
/usr/StorMan/apache-tomcat/webapps/maxview/WEB-INF/lib/log4j-api-2.14.0.jar
/usr/StorMan/apache-tomcat/lib/log4j2.xml
I guess that clears the issue and do appreciate the confirmation that PetaSan doesnt ship with log4j.
Regards,