perfsonar-announce - [perfsonar-announce] Followup: Statement on the Log4j RCE Vulnerability
Subject: perfSONAR Announcements
List archive
- From: Mark Feit <>
- To: "" <>, "" <>
- Subject: [perfsonar-announce] Followup: Statement on the Log4j RCE Vulnerability
- Date: Tue, 14 Dec 2021 21:35:09 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=internet2.edu; dmarc=pass action=none header.from=internet2.edu; dkim=pass header.d=internet2.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jUk4YMgHD1yOHCC8u3JNsw6b4bBopNYtJwC0lZpkEyI=; b=khziMamT8L6gUdAWIMjfoefeob5Tt+t3bD86lsM0G6hGpXA1irKBfa3bdbCeOVnbW65S5IEwnYoMESX0yrl1EC9PzxCYEF3fdP5AC/FtkxtnzyYPlgcEtB7hok6uGHps/92akOtKbPYit0mundDO+gRy1vvYl6nYSVDtBLe1rl2G1eDszrzSm0mYrrI7q0KzAiV5CTbz4CBs6LUZ9FACoSx7Bkvpoo+j7bRrxJFaxrE4EyLIfY39PThLzqcD56wP1UmI9AjcyPGKYrgaXQe1/K8nrGtfXKQb9Z3i6WfO4W5fNHrabUjSuAbQilSGDvSwGoeOFrPdc45XZ03TMYec6g==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WICgJVGlUmFMvjZpFpAnzOy5n0VJtPXMuPRQdep1Wgz1QP/VaPgm6z1/RllYOPKM0Q3kgqrWwGGqo71m+C5Df4FQ3oPFk2NjygEoJiA3RIml4YsuXxX0WlUnmMQ54BN9g08AW+d986DqGpKKR0Khfx2yWPccew0L77TSNInxCq0Fq79cDLc5eRT11Z6aGKTLTvV1CQK7gDIMVItEjM3MQxeO2+EK4MzQzWPDv1y2SpT4Be9bEigfn5Y5Gmlg5ag+9lG4cersKMNjmbsSkmwwYUoM8s6uGBj0Elz4RJRHYEvOAIsmXfJyAQ50kjeSoYTtEmOj7CeLxJWd1mmUaZhJ9Q==
Yesterday’s statement about the Log4j vulnerability spurred a few questions from people wanting to know how to determine if the services are running on their systems. Nothing has changed; these are clarifications.
Cassandra. This will be present on any perfSONAR system running the perfsonar-core, perfsonar-toolkit or perfsonar-centralmanagement bundles. You can identify its presence by the cassandra package being installed on the system.
MaDDash. This will be present on any perfSONAR system running the perfsonar-centralmanagement bundle. You can identify its presence by the maddash package being installed on the system.
To reiterate, the feature containing the vulnerable code is not present in Log4j 1.x, which is what Cassandra and MaDDash are using.
Lookup Service. Most perfSONAR nodes registering with the lookup service use the central server operated by the perfSONAR project, which has been patched. Private lookup servers are uncommon but can be identified by the presence of the lookup-server package on the system. If that package is present, take the steps outlined in https://github.com/esnet/simple-lookup-service/wiki/Apache-log4j-Remote-Code-Execution-vulnerability to disable the vulnerable code.
To check for the presence of a package on CentOS, use rpm -q packagename. For Debian and Ubuntu, use apt list packagename and look for the [installed] tag next to its name.
As always, if you have questions, please drop us a line at .
|
- [perfsonar-announce] Followup: Statement on the Log4j RCE Vulnerability, Mark Feit, 12/14/2021
Archive powered by MHonArc 2.6.24.