Description of problem: oVirt's wildfly package (ovirt-engine-wildfly) ships log4j 2.14.0, which is vulnerable to CVE-2021-44228. It should be upgraded to include log4j 2.15 to resolve this issue. Version-Release number of selected component (if applicable): ovirt-engine-wildfly-23.0.2-1.el8.x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Thanks for reporting! Artur I see you packaged 24.0.1 about 9 weeks ago. Does oVirt 4.4.9 work with that? Or is it only working on master / 4.5?
The documentation text flag should only be set after 'doc text' field is provided. Please provide the documentation text and set the flag to '?' again.
Looks like 24.0.1 won't be enough for getting the CVE fixed. Monitoring https://www.wildfly.org/ for a fix to be available.
Hi, Would it not be sufficient to include log4j 2.15.0 instead of 2.14.0? Are they not compatible? Regards, Rik
4.4.9 works with Wildfly 24.0.1. Patch with the bump was merged on Oct 15th
(In reply to Rik Theys from comment #4) > Hi, > > Would it not be sufficient to include log4j 2.15.0 instead of 2.14.0? Are > they not compatible? > > Regards, > Rik Yes - I highly doubt that this bump would cause any issues so we can expect rather quick hot fix from Wildfly.
We are not able to bump WildFly to latest version due to BZ1979500. If there will be update WildFly release with the fix, we will try to extract update log4j packages and provide them within ovirt-engine-wildfly-overlay package for ovirt-engine-wildfly-24.0.1
So far no updates for WildFly, but as WildFly itself is not affected CVE-2021-44228, we will probably need to wait for the next WildFly version
This should be fixed by upgrading to WildFly 26 *** This bug has been marked as a duplicate of bug 2060792 ***