perfsonar-announce - [perfsonar-announce] New log4j CVE-2022-23307
Subject: perfSONAR Announcements
- From: Andrew Lake <>
- To: perfsonar-user <>
- Subject: [perfsonar-announce] New log4j CVE-2022-23307
- Date: Thu, 27 Jan 2022 08:00:55 -0800
A new log4j vulnerability has been announced related to a vulnerability in the “chainsaw” package included in older versions of log4j. We have seen this package included in the log4j package the ships with cassanda (a requirement of the esmond package). This would affect perfsonar-toolkit and perfsonar-core bundles (perfsolnar-testpoint does not include esmond so is unaffected). perfSONAR does not directly leverage the chainsaw component and the way the software interacts with Cassandra it seems unlikely anyone could leverage the vulnerability without access to the system. That being said, we try to take a cautious approach with these things and its pretty easy to remove the affected classes. We will publish an update in the coming days that removes these classes. If you don’t want to wait, in the meantime you can run the following command to mitigate the risk:
zip -q -d /usr/share/cassandra/lib/log4j*.jar org/apache/log4j/chainsaw/*
systemctl restart cassandra
As already said, we will have an update that automatically does the equivalent of above soon. Please let us know if you have any questions.
The perfSONAR Development Team
- [perfsonar-announce] New log4j CVE-2022-23307, Andrew Lake, 01/27/2022
- Re: [perfsonar-announce] New log4j CVE-2022-23307, Andrew Lake, 01/27/2022
Archive powered by MHonArc 2.6.24.