Skip to Content.
Sympa Menu

perfsonar-announce - Re: [perfsonar-announce] New log4j CVE-2022-23307

Subject: perfSONAR Announcements

List archive

Re: [perfsonar-announce] New log4j CVE-2022-23307

Chronological Thread 
  • From: Andrew Lake <>
  • To: perfsonar-user <>
  • Cc:
  • Subject: Re: [perfsonar-announce] New log4j CVE-2022-23307
  • Date: Thu, 27 Jan 2022 11:40:04 -0800

A new esmond RPM (4.4.2-2) has been uploaded that should do the equivalent of the command previously shared. If you are running auto-updates you should get the change shortly, otherwise a “yum update esmond” will get the new package.

On January 27, 2022 at 11:00:55 AM, Andrew Lake () wrote:


A new log4j vulnerability has been announced related to a vulnerability in the “chainsaw” package included in older versions of log4j. We have seen this package included in the log4j package the ships with cassanda (a requirement of the esmond package). This would affect perfsonar-toolkit and perfsonar-core bundles (perfsolnar-testpoint does not include esmond so is unaffected). perfSONAR does not directly leverage the chainsaw component and the way the software interacts with Cassandra it seems unlikely anyone could leverage the vulnerability without access to the system. That being said, we try to take a cautious approach with these things and its pretty easy to remove the affected classes. We will publish an update in the coming days that removes these classes. If you don’t want to wait, in the meantime you can run the following command to mitigate the risk:

zip -q -d /usr/share/cassandra/lib/log4j*.jar  org/apache/log4j/chainsaw/*
systemctl restart cassandra

As already said, we will have an update that automatically does the equivalent of above soon. Please let us know if you have any questions.

The perfSONAR Development Team

Archive powered by MHonArc 2.6.24.

Top of Page