Daan, Thanks for the update, I can see the default log4j configuration uses 1.2.27 :
<!-- Logging versions --> <cs.log4j.version>1.2.17</cs.log4j.version> <cs.log4j.extras.version>1.2.17</cs.log4j.extras.version> <cs.logging.version>1.1.1</cs.logging.version> We'll be waiting for the official statement. Best Regards, On Mon, Dec 13, 2021 at 11:12 AM Daan Hoogland <[email protected]> wrote: > Serge, > A official statement should be coming out soon, but I think it is safe to > say the ACS is not impacted, for sure with the default log4j configuration. > The version we use is not impacted. A colleague PMC member did an exploit > attempt and showed it failing. If you are unsure [1] describes what we feel > is applicable to Cloudstack as well.. > > [1] http://slf4j.org/log4shell.html > > On Mon, Dec 13, 2021 at 9:55 AM Bs Serge <[email protected]> wrote: > > > Hi all, > > > > I’m sure all of you are aware of what’s going with the Log4j security > > vulnerability, If not then : > > > > - https://www.wired.com/story/log4j-flaw-hacking-internet/ > > - > > > > > https://logging-apache-org.translate.goog/log4j/2.x/security.html?_x_tr_sl=de&_x_tr_tl=en&_x_tr_hl=en-US > > > > So some of us are wondering : > > > > Does it affect some versions of the management server installation? and > > What can one do to make sure that they are safe from this vulnerability? > > > > Best Regards, > > > > > -- > Daan >
