Bug 2031102

Summary: ovirt-engine-wildfly contains log4j-api-2.0.14 same as WildFly, but log4j-core is not present, so no vulnerability to CVE-2021-44228 in production
Product: [oVirt] ovirt-engine Reporter: Rik Theys <rik.theys>
Component: GeneralAssignee: Martin Perina <mperina>
Status: CLOSED DUPLICATE QA Contact: Guilherme Santos <gdeolive>
Severity: high Docs Contact:
Priority: high    
Version: 4.4.9CC: asocha, bugs, mperina, vsroka
Target Milestone: ovirt-4.5.2Keywords: Security
Target Release: ---Flags: mperina: ovirt-4.5+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-08 08:22:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2030932    

Description Rik Theys 2021-12-10 14:07:39 UTC 
Description of problem:

oVirt's wildfly package (ovirt-engine-wildfly) ships log4j 2.14.0, which is vulnerable to CVE-2021-44228. It should be upgraded to include log4j 2.15 to resolve this issue.


Version-Release number of selected component (if applicable):
ovirt-engine-wildfly-23.0.2-1.el8.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Sandro Bonazzola 2021-12-10 15:08:37 UTC 
Thanks for reporting!

Artur I see you packaged 24.0.1 about 9 weeks ago. Does oVirt 4.4.9 work with that? Or is it only working on master / 4.5?
Comment 2 RHEL Program Management 2021-12-10 15:08:58 UTC 
The documentation text flag should only be set after 'doc text' field is provided. Please provide the documentation text and set the flag to '?' again.
Comment 3 Sandro Bonazzola 2021-12-10 15:17:15 UTC 
Looks like 24.0.1 won't be enough for getting the CVE fixed. Monitoring https://www.wildfly.org/ for a fix to be available.
Comment 4 Rik Theys 2021-12-10 15:29:18 UTC 
Hi,

Would it not be sufficient to include log4j 2.15.0 instead of 2.14.0? Are they not compatible?

Regards,
Rik
Comment 5 Artur Socha 2021-12-10 15:52:47 UTC 
4.4.9 works with Wildfly 24.0.1. Patch with the bump was merged on Oct 15th
Comment 6 Artur Socha 2021-12-10 16:03:09 UTC 
(In reply to Rik Theys from comment #4)
> Hi,
> 
> Would it not be sufficient to include log4j 2.15.0 instead of 2.14.0? Are
> they not compatible?
> 
> Regards,
> Rik

Yes - I highly doubt that this bump would cause any issues so we can expect  rather quick hot fix from Wildfly.
Comment 7 Martin Perina 2021-12-13 09:34:28 UTC 
We are not able to bump WildFly to latest version due to BZ1979500. If there will be update WildFly release with the fix, we will try to extract update log4j packages and provide them within ovirt-engine-wildfly-overlay package for ovirt-engine-wildfly-24.0.1
Comment 8 Martin Perina 2022-01-10 13:19:10 UTC 
So far no updates for WildFly, but as WildFly itself is not affected CVE-2021-44228, we will probably need to wait for the next WildFly version
Comment 9 Martin Perina 2022-06-08 08:22:50 UTC 
This should be fixed by upgrading to WildFly 26

*** This bug has been marked as a duplicate of bug 2060792 ***