9:58 a.m.
Ah yes - I'm not surprised about the logmanager. According to the Wildfly
team, they are not impacted by the log4j 2 CVE. Here is a writeup on this
if you are interested:
https://www.wildfly.org/news/2021/12/13/Log4j-CVEs/
However, it is certainly true that we're using an older version of WF in
our quickstart and we should update it. I'll add that to my todo list. :)
Definitely note: we don't recommend deploying the quickstart in
production. Using one of the other deployment strategies would be better
(docker compose, kubernetes, openshift, etc).
Thanks for the note!
On Thu, Dec 16, 2021 at 10:40 AM Marcel Ouellette <
mouellette(a)insuranceautomationgroup.com> wrote:
I can only speak for 2.5.0 which flagged
log4j-jboss-logmanager-1.2.0.Final.jar which came up on a security scan.
Thanks for the tip on the docker images and the quick response!
*From:* Eric Wittmann <eric.wittmann(a)redhat.com>
*Sent:* Thursday, December 16, 2021 10:27 AM
*To:* Marcel Ouellette <mouellette(a)insuranceautomationgroup.com>
*Cc:* apicurio(a)lists.jboss.org
*Subject:* Re: [Apicurio] Apicurio Studio Quick Start
*CAUTION: *This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know
the content is safe.
Thanks Marcel. I'll have a look at that. Fortunately our docker images
are not (as far as I can tell) affected. But I forgot to check the
Quickstart (which is deployed on Wildfly IIRC). Do you happen to know what
versions of Wildfly are affected? Only if you happen to know - I can look
it up. :)
On Thu, Dec 16, 2021 at 9:25 AM Marcel Ouellette <
mouellette(a)insuranceautomationgroup.com> wrote:
I'm sure this anyone seeing this is probably well aware, however, it
seemed best to send something. The apicurio studio (which is fantastic by
the way) quickstart contains the now infamous log4j vulnerability. I
understand maintainers have outside priorities and receive little in return
so please know this isn't a complaint, just a friendly notification. Thank
you.
_______________________________________________
Apicurio mailing list -- apicurio(a)lists.jboss.org
To unsubscribe send an email to apicurio-leave(a)lists.jboss.org
--
Eric Wittmann
Principal Software Engineer - Apicurio - Red Hat
He / Him / His
eric.wittmann(a)redhat.com
--
Eric Wittmann
Principal Software Engineer - Apicurio - Red Hat
He / Him / His
eric.wittmann(a)redhat.com
10:03 a.m.
New subject: Apicurio Studio Quick Start
Excellent, thank you!
From: Eric Wittmann <eric.wittmann(a)redhat.com>
Sent: Thursday, December 16, 2021 10:59 AM
To: Marcel Ouellette <mouellette(a)insuranceautomationgroup.com>
Cc: apicurio(a)lists.jboss.org
Subject: Re: [Apicurio] Apicurio Studio Quick Start
CAUTION: This email originated from outside of the organization. Do not click links or
open attachments unless you recognize the sender and know the content is safe.
Ah yes - I'm not surprised about the logmanager. According to the Wildfly team, they
are not impacted by the log4j 2 CVE. Here is a writeup on this if you are interested:
https://www.wildfly.org/news/2021/12/13/Log4j-CVEs/
However, it is certainly true that we're using an older version of WF in our
quickstart and we should update it. I'll add that to my todo list. :)
Definitely note: we don't recommend deploying the quickstart in production. Using one
of the other deployment strategies would be better (docker compose, kubernetes, openshift,
etc).
Thanks for the note!
On Thu, Dec 16, 2021 at 10:40 AM Marcel Ouellette
<mouellette@insuranceautomationgroup.com<mailto:mouellette@insuranceautomationgroup.com>>
wrote:
I can only speak for 2.5.0 which flagged log4j-jboss-logmanager-1.2.0.Final.jar which came
up on a security scan. Thanks for the tip on the docker images and the quick response!
From: Eric Wittmann
<eric.wittmann@redhat.com<mailto:eric.wittmann@redhat.com>>
Sent: Thursday, December 16, 2021 10:27 AM
To: Marcel Ouellette
<mouellette@insuranceautomationgroup.com<mailto:mouellette@insuranceautomationgroup.com>>
Cc: apicurio@lists.jboss.org<mailto:apicurio@lists.jboss.org>
Subject: Re: [Apicurio] Apicurio Studio Quick Start
CAUTION: This email originated from outside of the organization. Do not click links or
open attachments unless you recognize the sender and know the content is safe.
Thanks Marcel. I'll have a look at that. Fortunately our docker images are not (as
far as I can tell) affected. But I forgot to check the Quickstart (which is deployed on
Wildfly IIRC). Do you happen to know what versions of Wildfly are affected? Only if you
happen to know - I can look it up. :)
On Thu, Dec 16, 2021 at 9:25 AM Marcel Ouellette
<mouellette@insuranceautomationgroup.com<mailto:mouellette@insuranceautomationgroup.com>>
wrote:
I'm sure this anyone seeing this is probably well aware, however, it seemed best to
send something. The apicurio studio (which is fantastic by the way) quickstart contains
the now infamous log4j vulnerability. I understand maintainers have outside priorities
and receive little in return so please know this isn't a complaint, just a friendly
notification. Thank you.
_______________________________________________
Apicurio mailing list -- apicurio@lists.jboss.org<mailto:apicurio@lists.jboss.org>
To unsubscribe send an email to
apicurio-leave@lists.jboss.org<mailto:apicurio-leave@lists.jboss.org>
--
Eric Wittmann
Principal Software Engineer - Apicurio - Red Hat
He / Him / His
eric.wittmann@redhat.com<mailto:eric.wittmann@redhat.com>
--
Eric Wittmann
Principal Software Engineer - Apicurio - Red Hat
He / Him / His
eric.wittmann@redhat.com<mailto:eric.wittmann@redhat.com>
1110
days inactive
1110
days old
1 comments
2 participants
participants (2)
-
Eric Wittmann -
Marcel Ouellette