Excellent, thank you!
From: Eric Wittmann <eric.wittmann(a)redhat.com>
Sent: Thursday, December 16, 2021 10:59 AM
To: Marcel Ouellette <mouellette(a)insuranceautomationgroup.com>
Cc: apicurio(a)lists.jboss.org
Subject: Re: [Apicurio] Apicurio Studio Quick Start
CAUTION: This email originated from outside of the organization. Do not click links or
open attachments unless you recognize the sender and know the content is safe.
Ah yes - I'm not surprised about the logmanager. According to the Wildfly team, they
are not impacted by the log4j 2 CVE. Here is a writeup on this if you are interested:
https://www.wildfly.org/news/2021/12/13/Log4j-CVEs/
However, it is certainly true that we're using an older version of WF in our
quickstart and we should update it. I'll add that to my todo list. :)
Definitely note: we don't recommend deploying the quickstart in production. Using one
of the other deployment strategies would be better (docker compose, kubernetes, openshift,
etc).
Thanks for the note!
On Thu, Dec 16, 2021 at 10:40 AM Marcel Ouellette
<mouellette@insuranceautomationgroup.com<mailto:mouellette@insuranceautomationgroup.com>>
wrote:
I can only speak for 2.5.0 which flagged log4j-jboss-logmanager-1.2.0.Final.jar which came
up on a security scan. Thanks for the tip on the docker images and the quick response!
From: Eric Wittmann
<eric.wittmann@redhat.com<mailto:eric.wittmann@redhat.com>>
Sent: Thursday, December 16, 2021 10:27 AM
To: Marcel Ouellette
<mouellette@insuranceautomationgroup.com<mailto:mouellette@insuranceautomationgroup.com>>
Cc: apicurio@lists.jboss.org<mailto:apicurio@lists.jboss.org>
Subject: Re: [Apicurio] Apicurio Studio Quick Start
CAUTION: This email originated from outside of the organization. Do not click links or
open attachments unless you recognize the sender and know the content is safe.
Thanks Marcel. I'll have a look at that. Fortunately our docker images are not (as
far as I can tell) affected. But I forgot to check the Quickstart (which is deployed on
Wildfly IIRC). Do you happen to know what versions of Wildfly are affected? Only if you
happen to know - I can look it up. :)
On Thu, Dec 16, 2021 at 9:25 AM Marcel Ouellette
<mouellette@insuranceautomationgroup.com<mailto:mouellette@insuranceautomationgroup.com>>
wrote:
I'm sure this anyone seeing this is probably well aware, however, it seemed best to
send something. The apicurio studio (which is fantastic by the way) quickstart contains
the now infamous log4j vulnerability. I understand maintainers have outside priorities
and receive little in return so please know this isn't a complaint, just a friendly
notification. Thank you.
_______________________________________________
Apicurio mailing list -- apicurio@lists.jboss.org<mailto:apicurio@lists.jboss.org>
To unsubscribe send an email to
apicurio-leave@lists.jboss.org<mailto:apicurio-leave@lists.jboss.org>
--
Eric Wittmann
Principal Software Engineer - Apicurio - Red Hat
He / Him / His
eric.wittmann@redhat.com<mailto:eric.wittmann@redhat.com>
--
Eric Wittmann
Principal Software Engineer - Apicurio - Red Hat
He / Him / His
eric.wittmann@redhat.com<mailto:eric.wittmann@redhat.com>