Hi all,
Some comments / thoughts.
For many of these, I believe just updating the base image used to build /
run the container would resolve many of the security issues.
When it comes to the impacts of certains CVE's it's really difficult to
ascertain the impact without knowledge of the context (pun intended :)).
Many scanners on the market, _ONLY_ check the version of the package, which
is the information they have available.
Thise can cause many false positives depending on how the Operating System
vendor / Distribution used, handles things such as backports to packages vs
rebases etc.
It is also usually the case that they are not able to determine build time
options and runtime options (configuration) that would make a threat actor
not able to exploit the CVE.
It is usually recommended that the scanner technology used, be able to
integrate to the specific vulnerability information shared by the
distribution / vendor.
In addition to this, an extra challenge that I see when I work with
customers deploying FIWARE components is the breadth of Distributions used
within the FIWARE ecosystem.
I've seen Ubuntu, Alpine, CentOS, Debian. and also different versions of
all of those.
This makes it extremely difficult to ascertain whether or not a user is
running componentes with vulnerabilities.
It also makes it difficult for the active FIWARE contributors to understand
vulnerabilities affecting FIWARE components.
Kind regards
Johnny
On Thu, Dec 16, 2021 at 11:33 AM Fernando Lopez <fernando.lopez at fiware.org>
wrote:
> Dear Fermín,
>
> First of all thank you for your prompt response. We provide the
> information about the security issues identified in the security analysis
> and it is up to you to evaluate afterwards the implication of that problem
> can take in your component.
>
> Regarding your second comment. I can understand your reasoning response
> but like a wrote in the email I have extracted the info from the reports,
> specially the one created by Anchore tool, that you have received with the
> extended information about the security issues identified in the component.
>
> Regarding the vocabulary, it was explained during the TSC session about QA
> activities that we are using specific tools to evaluate the Vulnerabilities
> Metrics following the Common Vulnerability Scoring System (CVSS) provides
> by the National Vulnerability Database (NVD) provided by the NIST. CVSS is
> an open framework for communicating the characteristics and severity of
> software vulnerabilities. The NVD provides CVSS 'base scores' which
> represent the innate characteristics of each vulnerability.
>
> For your convenience, I put here the summary of the 18 security issues
> found:
>
> NVD ID: CVE-2021-35942
> Package Name: glibc-minimal-langpack
> Package Version: 2.28-151.el8
> Base Score: 9.1
> Exploitability Score: 3.9
> Impact Score: 5.2
> Severity: Medium
>
> NVD ID: CVE-2021-35942
> Package Name: glibc-langpack-en
> Package Version: 2.28-151.el8
> Base Score: 9.1
> Exploitability Score: 3.9
> Impact Score: 5.2
> Severity: Medium
>
> NVD ID: CVE-2021-20232
> Package Name: nettle
> Package Version: 3.4.1-2.el8
> Base Score: 9.8
> Exploitability Score: 3.9
> Impact Score: 5.9
> Severity: Medium
>
> NVD ID: CVE-2021-3177
> Package Name: python3-libs
> Package Version: 3.6.8-31.el8
> Base Score: 9.8
> Exploitability Score: 3.9
> Impact Score: 5.9
> Severity: Medium
>
> NVD ID: CVE-2021-33574
> Package Name: glibc-langpack-en
> Package Version: 2.28-151.el8
> Base Score: 9.8
> Exploitability Score: 3.9
> Impact Score: 5.9
> Severity: Low
>
> NVD ID: CVE-2021-35942
> Package Name: glibc
> Package Version: 2.28-151.el8
> Base Score: 9.1
> Exploitability Score: 3.9
> Impact Score: 5.2
> Severity: Medium
>
> NVD ID: CVE-2020-27619
> Package Name: platform-python
> Package Version: 3.6.8-31.el8
> Base Score: 9.8
> Exploitability Score: 3.9
> Impact Score: 5.9
> Severity: Medium
>
> NVD ID: CVE-2020-27619
> Package Name: python3-libs
> Package Version: 3.6.8-31.el8
> Base Score: 9.8
> Exploitability Score: 3.9
> Impact Score: 5.9
> Severity: Medium
>
> NVD ID: CVE-2021-33574
> Package Name: glibc-common
> Package Version: 2.28-151.el8
> Base Score: 9.8
> Exploitability Score: 3.9
> Impact Score: 5.9
> Severity: Low
>
> NVD ID: CVE-2021-33574
> Package Name: glibc
> Package Version: 2.28-151.el8
> Base Score: 9.8
> Exploitability Score: 3.9
> Impact Score: 5.9
> Severity: Low
>
> NVD ID: CVE-2021-20232
> Package Name: gnutls
> Package Version: 3.6.14-8.el8_3
> Base Score: 9.8
> Exploitability Score: 3.9
> Impact Score: 5.9
> Severity: Medium
>
> NVD ID: CVE-2021-20231
> Package Name: gnutls
> Package Version: 3.6.14-8.el8_3
> Base Score: 9.8
> Exploitability Score: 3.9
> Impact Score: 5.9
> Severity: Medium
>
> NVD ID: CVE-2021-33574
> Package Name: glibc-minimal-langpack
> Package Version: 2.28-151.el8
> Base Score: 9.8
> Exploitability Score: 3.9
> Impact Score: 5.9
> Severity: Low
>
> NVD ID: CVE-2021-3177
> Package Name: platform-python
> Package Version: 3.6.8-31.el8
> Base Score: 9.8
> Exploitability Score: 3.9
> Impact Score: 5.9
> Severity: Medium
>
> NVD ID: CVE-2021-3520
> Package Name: lz4-libs
> Package Version: 1.8.3-2.el8
> Base Score: 9.8
> Exploitability Score: 3.9
> Impact Score: 5.9
> Severity: Medium
>
> NVD ID: CVE-2021-35942
> Package Name: glibc-common
> Package Version: 2.28-151.el8
> Base Score: 9.1
> Exploitability Score: 3.9
> Impact Score: 5.2
> Severity: Medium
>
> NVD ID: CVE-2019-18218
> Package Name: file-libs
> Package Version: 5.33-16.el8
> Base Score: 9.8
> Exploitability Score: 3.9
> Impact Score: 5.9
> Severity: Medium
>
> NVD ID: CVE-2021-20231
> Package Name: nettle
> Package Version: 3.4.1-2.el8
> Base Score: 9.8
> Exploitability Score: 3.9
> Impact Score: 5.9
> Severity: Medium
>
>
> If you search the first one in the report (Package Name:
> glibc-minimal-langpack) you obtain the following information:
>
> {
> "feed": "vulnerabilities", "feed_group": "rhel:8", "fix": "0:2.28-164.el8", "nvd_data": [
> {
> "cvss_v2": {
> "base_score": 6.4, "exploitability_score": 10.0, "impact_score": 4.9 }, "cvss_v3": {
> "base_score": 9.1, "exploitability_score": 3.9, "impact_score": 5.2 }, "id": "CVE-2021-35942" }
> ], "package": "glibc-minimal-langpack-2.28-151.el8", "package_cpe": "None", "package_cpe23": "None", "package_name": "glibc-minimal-langpack", "package_path": "pkgdb", "package_type": "rpm", "package_version": "2.28-151.el8", "severity": "Medium", "url": "https://access.redhat.com/security/cve/CVE-2021-35942" <https://access.redhat.com/security/cve/CVE-2021-35942>, "vendor_data": [
> {
> "cvss_v2": {
> "base_score": -1.0, "exploitability_score": -1.0, "impact_score": -1.0 }, "cvss_v3": {
> "base_score": 9.1, "exploitability_score": 3.9, "impact_score": 5.2 }, "id": "CVE-2021-35942" }
> ], "vuln": "CVE-2021-35942", "will_not_fix": false}
>
> If you want detail information about the vulnerability you can go to the
> url in which you can obtain detailed information about the security issue.
>
> Nevertheless, let me know if you have the report, at the moment the
> configuration file (
> https://github.com/flopezag/fiware-security/blob/develop/Common/enablers.json)
> shows me that the report is automatically sent to
> telefonica.fiware at gmail.com
>
> {
> "name": "Orion", "image": "fiware/orion:latest", "compose": "https://raw.githubusercontent.com/telefonicaid/fiware-orion/master/docker/docker-compose.yml" <https://raw.githubusercontent.com/telefonicaid/fiware-orion/master/docker/docker-compose.yml>, "exclude": "", "email": "telefonica.fiware at gmail.com" <telefonica.fiware at gmail.com>}
>
>
> Best regards,
>
> Fernando
>
>
>
> Dear Fernando,
>
>
>
> With regards to Cygnus (which is explicitly mentioned) note that
> CVE-2019-17571 is not having any impact, as Cygnus doesn’t uses
> SocketAppender, which is used in sequence by SockerServer class affected by
> the vulnerability. Anyway, it is worth noting that Cygnus is a CB connector
> which doesn’t expose any API, so the probably of doing any injection attack
> in log4j library is 0 from a practical point of view.
>
>
>
> With regards to the reports, as general comment, I’m afraid this email it
> not useful. It only show statistic information regarding each component,
> but not information that allow us to know if a given vulnerability is
> relevant for the component and, in positive case, which actions to take so
> solve it. For instance, it is not useful for me to know that in Orion we
> have 10 vulnerabilities of type “CVSS v3 Base Score” (whatever that means
> J). What brings value is to know which vulnerabilities are, if they
> affect Orion or not and, in positive case, how to solve them. Could you
> provide such detailed information, please?
>
>
>
> Best regards,
>
>
>
> ------
>
> Fermín
>
>
>
> *De:* fiware-technical-committee-bounces at lists.fiware.org
> <fiware-technical-committee-bounces at lists.fiware.org>
> <fiware-technical-committee-bounces at lists.fiware.org> *En nombre de *Fernando
> Lopez
> *Enviado el:* miércoles, 15 de diciembre de 2021 16:58
> *Para:* fiware-technical-committee at lists.fiware.org
> *CC:* Ulrich Ahle <ulrich.ahle at fiware.org> <ulrich.ahle at fiware.org>
> *Asunto:* [Fiware-technical-committee] [VERY URGENT] Critical
> Vulnerability in Log4j: Log4Shell
> *Importancia:* Alta
>
>
>
> Dear all,
>
> First of all sorry for the very extended email. The reason about it is to
> share with you the security analysis of the FIWARE Generic Enablers that
> currently are under the scope of periodical monthly analysis. This data
> analysis has been developed after the critical issue detected with the Java
> Library Log4j from which you have received a previous email.
>
> The relevance of this email is not only to inform you the security
> analysis of the docker image that we did these days but also to inform you
> that some of our FIWARE Ecosystem member, precisely the WATERNET company
> has decided to dismiss the use of the Cygnus component due to a previous
> Critical Security Issue related to the CVE-2019-17571 also related to
> Log4j. This is not a good information and probably other companies might
> take the same action in production environment, specially if we are talking
> about critical infrastructure management. They are requesting us to know
> when should be available a new version to correct this issue.
>
> Both CVE-2021-44228 and CVE-2019-17571, are issues identified with high
> base score (10 and 9.8) and with Severity: Critical, but they are not the
> only ones...
>
> Giving that, I make a data analysis of the last report generated by our
> tool, specially related to the following FIWARE Generic Enablers:
>
> - Cygnus
> - Draco
> - IoTAgent-SigFox
> - Keyrock
> - Orion-LD
> - Orion
> - Stellio API
> - Stellio Entity Service
> - Stellio Search Service
> - Stellio Subscription Service
> - Stellio Timescale PostGIS
> - Wilma
>
> For all of them you have received each month the security report with the
> identified vulnerabilities. I have extracted from the report generated
> yesterday the following analysis focussing in the issues with a base score
> bigger than 9. For reducing the size of the email, I do not put here all of
> the identified security issues, but I can provide you if you want.
> Nevertheless, this is something that can be extracted from the security
> reports as well.
>
> At the moment, I have no identified CVE-2021-44228 on these enablers in
> the docker image version latest but I have identified the CVE-2019-17571 in
> Cygnus and Draco. These are not the only one, there are other issues
> identified as Critical in the reports. Therefore, from the point of view of
> reputation of the FIWARE Community, we should work to resolve those
> critical security issues as soon as possible.
>
> We expected to extend the analysis to the rest of components in the
> following weeks with your help.
>
>
>
> *Cygnus*
>
> [image: cid:part1.LubT0svT.sEptX0N0 at fiware.org]
>
> [image: cid:part2.YXWcVJnk.11zrBknL at fiware.org]
>
>
>
> Summary of vulnerabilities of Cygnus
> Number of vulnerabilities: 1807
> Number of vulnerabilities without NVD Data: 0
> Number of vulnerabilities with NVD Data: 1807
> Number of vulnerabilities with CVSS v2 Base Score > 9: 27
> Number of vulnerabilities with CVSS v3 Base Score > 9: 274
>
>
>
> *Draco*
>
> [image: cid:part3.XK0Iqpxk.4pJElR32 at fiware.org]
>
> [image: cid:part4.5gBZ8QIy.3jbxIaRA at fiware.org]
>
>
> Summary of vulnerabilities of Draco
> Number of vulnerabilities: 263
> Number of vulnerabilities without NVD Data: 0
> Number of vulnerabilities with NVD Data: 263
> Number of vulnerabilities with CVSS v2 Base Score > 9: 1
> Number of vulnerabilities with CVSS v3 Base Score > 9: 10
>
>
>
> *IoTAgent SigFox*
>
> [image: cid:part5.C0r0x9Pk.3Z30AJHR at fiware.org]
>
> [image: cid:part6.LPuV0bv1.Chw6dVVb at fiware.org]
>
>
> Summary of vulnerabilities of IoTAgent SigFox
> Number of vulnerabilities: 31
> Number of vulnerabilities without NVD Data: 0
> Number of vulnerabilities with NVD Data: 31
> Number of vulnerabilities with CVSS v2 Base Score > 9: 2
> Number of vulnerabilities with CVSS v3 Base Score > 9: 4
>
>
>
> *Keyrock*
>
> [image: cid:part7.gnJnx2dt.5XnoJosN at fiware.org]
>
> [image: cid:part8.ClkF1q7W.Vh0LnV8c at fiware.org]
>
>
> Summary of vulnerabilities of Keyrock
> Number of vulnerabilities: 120
> Number of vulnerabilities without NVD Data: 4
> Number of vulnerabilities with NVD Data: 116
> Number of vulnerabilities with CVSS v2 Base Score > 9: 1
> Number of vulnerabilities with CVSS v3 Base Score > 9: 17
>
>
>
> *Orion-LD*
>
> [image: cid:part9.xThqLZ8x.0A4mQcjd at fiware.org]
>
> [image: cid:part10.0QS6Ao85.yrOwJcs5 at fiware.org]
>
>
> Summary of vulnerabilities of Orion-LD
> Number of vulnerabilities: 100
> Number of vulnerabilities without NVD Data: 19
> Number of vulnerabilities with NVD Data: 81
> Number of vulnerabilities with CVSS v2 Base Score > 9: 0
> Number of vulnerabilities with CVSS v3 Base Score > 9: 11
>
>
> *Orion*
>
> [image: cid:part11.h8yc09BA.2VaHCAeA at fiware.org]
>
> [image: cid:part12.SlkHaHTj.ADBi2SGB at fiware.org]
>
>
> Summary of vulnerabilities of Orion
> Number of vulnerabilities: 207
> Number of vulnerabilities without NVD Data: 22
> Number of vulnerabilities with NVD Data: 185
> Number of vulnerabilities with CVSS v2 Base Score > 9: 0
> Number of vulnerabilities with CVSS v3 Base Score > 9: 18
>
>
>
> *Stellio API*
>
> [image: cid:part13.9BRMNAMG.JDfHrRc8 at fiware.org]
>
> [image: cid:part14.0ZJayQMj.7ZLvEBaL at fiware.org]
>
>
> Summary of vulnerabilities of Stellio API
> Number of vulnerabilities: 82
> Number of vulnerabilities without NVD Data: 1
> Number of vulnerabilities with NVD Data: 81
> Number of vulnerabilities with CVSS v2 Base Score > 9: 0
> Number of vulnerabilities with CVSS v3 Base Score > 9: 10
>
>
>
> *Stellio Entry Service*
>
> [image: cid:part15.AbqVjRPb.4XuiIFcz at fiware.org]
>
> [image: cid:part16.Skbhbq06.XggNPAsU at fiware.org]
>
>
> Summary of vulnerabilities of Stellio Entry Service
> Number of vulnerabilities: 22
> Number of vulnerabilities without NVD Data: 0
> Number of vulnerabilities with NVD Data: 22
> Number of vulnerabilities with CVSS v2 Base Score > 9: 0
> Number of vulnerabilities with CVSS v3 Base Score > 9: 4
>
>
>
> *Stellio Search Service*
>
> [image: cid:part17.RXAS2pYr.0ijXEL1y at fiware.org]
>
> [image: cid:part18.O1GaxZK5.p3KcN89N at fiware.org]
>
>
> Summary of vulnerabilities of Stellio Search Service
> Number of vulnerabilities: 103
> Number of vulnerabilities without NVD Data: 1
> Number of vulnerabilities with NVD Data: 102
> Number of vulnerabilities with CVSS v2 Base Score > 9: 0
> Number of vulnerabilities with CVSS v3 Base Score > 9: 14
>
>
> *Stellio Subscription Service*
>
> [image: cid:part19.dFOD0tNI.6v4eOWqe at fiware.org]
>
> [image: cid:part20.BvCIJu5M.yD8dKI8e at fiware.org]
>
>
> Summary of vulnerabilities of Stellio Subscription Service
> Number of vulnerabilities: 114
> Number of vulnerabilities without NVD Data: 1
> Number of vulnerabilities with NVD Data: 113
> Number of vulnerabilities with CVSS v2 Base Score > 9: 0
> Number of vulnerabilities with CVSS v3 Base Score > 9: 17
>
>
>
> *Stellio Timescale PostGIS*
>
> [image: cid:part21.snPmU4gW.RfkX1ECQ at fiware.org]
>
> [image: cid:part22.zkKCay8l.vqmTSJer at fiware.org]
>
>
> Summary of vulnerabilities of Stellio Timescale PostGIS
> Number of vulnerabilities: 90
> Number of vulnerabilities without NVD Data: 3
> Number of vulnerabilities with NVD Data: 87
> Number of vulnerabilities with CVSS v2 Base Score > 9: 0
> Number of vulnerabilities with CVSS v3 Base Score > 9: 4
>
>
>
> *Wilma*
>
> [image: cid:part23.qWPCu0OB.2NAl8aRP at fiware.org]
>
> [image: cid:part24.JHidNBDK.atd0u9fM at fiware.org]
>
>
>
> Summary of vulnerabilities of Wilma
> Number of vulnerabilities: 29
> Number of vulnerabilities without NVD Data: 0
> Number of vulnerabilities with NVD Data: 29
> Number of vulnerabilities with CVSS v2 Base Score > 9: 1
> Number of vulnerabilities with CVSS v3 Base Score > 9: 2
>
>
> On 14.12.21 17:10, Jason Fox wrote:
>
> As I am sure you are all aware, a new critical vulnerability in Log4j has
> been discovered which is likely to affect a very wide range of open source
> software.
>
>
>
> You can just search for *Log4Shell* on the internet, but here are a
> couple of background links for information
>
>
>
> -
> https://venturebeat.com/2021/12/10/the-log4j-vulnerability-is-bad-heres-the-good-news/
> - https://www.wired.com/story/log4j-log4shell/
>
>
>
>
>
> Kazuhito Suda has kindly provided a first analysis of likely effect across
> FIWARE Components. Please check to see if you are affected and update to a
> patched
>
> version as soon as possible. Failure to upgrade in a timely manner is a
> reputational risk, which is highly likely to damage the perceived
> trustworthiness of your company
>
> and indeed FIWARE as whole.
>
>
>
>
>
> This list should not be considered as comprehensive, everyone should also
> undertake a risk analysis of your own of course.
>
>
>
> Please patch and update your software and add a new tagged release of your
> component. The updated version will automatically be added to the releases
> branch
>
> Of the FIWARE Catalogue. In additionally, the FIWARE Foundation will be
> labelling a *FIWARE 8.2 *umbrella release at year end release to ensure
> the latest patches
>
> Batched and are consistently available. The usual FIWARE release
> notification eMail will appear in due course.
>
>
>
> Regards,
>
>
>
> Jason
>
>
>
>
>
>
>
>
>
>
> * Jason Fox*
>
> Technical Evangelist
>
> Jason.fox at fiware.org <juanjose.hierro at fiware.org>
>
> www.linkedin.com/in/jason-fox-8a79563
> <https://www.linkedin.com/in/jhierro>
>
>
>
>
> [image:
> imap://fernando%2Elopez%40fiware%2Eorg@imap.gmail.com:993/fetch%3EUID%3E/INBOX%3E235677?header=quotebody&part=1.2&filename=image049.png]
>
>
>
> Begin forwarded message:
>
>
>
> *From: *<kazuhito at fisuda.jp>
>
> *Subject: ***Vulnerability*** Apache Log4j (CVE-2021-44228)*
>
> *Date: *14. December 2021 at 07:41:58 CET
>
> *To: *"'Juanjo Hierro'" <juanjose.hierro at fiware.org>
>
> *Cc: *"'Stefano De Panfilis'" <stefano.depanfilis at fiware.org>, "'Jason
> Fox'" <jason.fox at fiware.org>
>
>
>
> Dear Juanjo,
>
>
>
> I share you information about a critical vulnerability in Apache Log4j and
> its impact on FIWARE GEs.
>
>
>
> On December 9, 2021, Apache software foundation published a critical
> vulnerability (CVSS score 10.0) in Apache Log4j, a Java logging library.
> FIWARE GEs written by Java may be affected by this vulnerability.
>
>
>
> Please have a look at the CVE-2021-44228 in the following link:
>
> https://logging.apache.org/log4j/2.x/
>
>
>
> The Log4j version 1.x does not have this vulnerability. Because it does
> not have Lookups feature. But the Log4j version 1.x is a EOL product.
>
>
>
> I'm running FIWARE instances in the cloud, so I investigated its impact on
> FIWARE GEs which I use. But please keep in mind that this is not perfect. I
> hope that FIWARE GE owners will investigate this effect.
>
>
>
> - Cygnus 2.15.0
>
> Cygnus uses Log4j 1.2.17, so it is not affected by this vulnerability.
>
>
>
>
> https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-common/pom.xml#L85
>
>
> https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-ngsi/pom.xml#L40
>
>
> https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-ngsi-ld/pom.xml#L41
>
>
> https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-twitter/pom.xml#L42
>
>
>
> - Preseo-core
>
> Perseo-core uses Log4j 1.2.17, so it is not affected by this vulnerability.
>
>
> https://github.com/telefonicaid/perseo-core/blob/master/perseo-utils/pom.xml#L50
>
>
>
> - WireCloud 1.3
>
> WireCloud 1.3 depends on Elasticsearch 2.4.
>
>
> https://github.com/Wirecloud/docker-wirecloud/blob/master/1.3/docker-compose.yml
>
>
>
> Elasticsearch 2.4 uses Log4j 1.2.17, so it is not affected by this
> vulnerability.
>
> https://github.com/elastic/elasticsearch/blob/2.4/pom.xml#L66
>
>
>
> - Draco
>
> Draco depends on Apache Nifi. Apache Nifi had this vulnerability and fixed
> it. Draco may be affected by this vulnerability
>
>
>
> NIFI-9482 Upgrade Log4j 2 from 2.15.0 to 2.16.0 #5600
>
> https://github.com/apache/nifi/pull/5600
>
>
>
> - Quantumleap
>
> Quantumleap depends on CrateDB. CrateDB had this vulnerability and fixed
> it. Quantumleap may be affected by this vulnerability.
>
>
>
> Update log4j to 2.15.0 (backport #11968) #11970
>
> https://github.com/crate/crate/pull/11970
>
>
>
> - Scorpio
>
> Scorpio depends on Apache Kafka. But probably Kafka may be not affected
> by this vulnerability.
>
>
>
> security - Which version of Kafka are impacted due to log4j
> CVE-2021-44228? - Stack Overflow
> <https://stackoverflow.com/questions/70315574/which-version-of-kafka-are-impacted-due-to-log4j-cve-2021-44228>
>
>
>
> - Knowage
>
> Knowage server uses Llog4j 1.2.16, so it is not affected by this
> vulnerability.
>
>
> https://github.com/KnowageLabs/Knowage-Server/blob/master/knowage-api/pom.xml#L109
>
>
>
> - CKAN
>
> CKAN depends on Apache Solr.
>
> https://solr.apache.org/security.html
>
> 2021-12-10, Apache Solr affected by Apache Log4J CVE-2021-44228
>
> Severity: Critical
>
> Versions Affected: 7.4.0 to 7.7.3, 8.0.0 to 8.11.0
>
>
>
>
>
> Best regards,
>
> Kazuhito
>
> Begin forwarded message:
>
>
>
> __________________________________________________________________________________________
>
>
>
> You can get more information about our cookies and privacy policies on the following links:
>
> - https://wiki.fiware.org/FIWARE_Privacy_Policy
>
> - https://wiki.fiware.org/Cookies_Policy_FIWARE
>
>
>
>
>
> fiware-technical-committee mailing list
>
> fiware-technical-committee at lists.fiware.org
>
>
>
> To unsubscribe from fiware-technical-committee mailing list, go to the information page of the list at:
>
> https://lists.fiware.org/listinfo/fiware-technical-committee
>
>
>
> --
>
> *Fernando López Aguilar*
>
> FIWARE Cloud & Platform Senior Expert
>
> M. +49 1522 2600767
>
> fernando.lopez at fiware.org
>
> www.fiware.org
>
> Twitter: @fiware <https://twitter.com/fiware>@flopezaguilar
> <https://twitter.com/flopezaguilar>
>
> *[image:
> imap://fernando%2Elopez%40fiware%2Eorg@imap.gmail.com:993/fetch%3EUID%3E/INBOX%3E235677?header=quotebody&part=1.2&filename=image049.png]*
>
> [image: https://nexus.lab.fiware.org/repository/raw/promo/email_footer.png]
> <https://nexus.lab.fiware.org/fiware.signature>
>
>
>
>
>
> ------------------------------
>
> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario,
> puede contener información privilegiada o confidencial y es para uso
> exclusivo de la persona o entidad de destino. Si no es usted. el
> destinatario indicado, queda notificado de que la lectura, utilización,
> divulgación y/o copia sin autorización puede estar prohibida en virtud de
> la legislación vigente. Si ha recibido este mensaje por error, le rogamos
> que nos lo comunique inmediatamente por esta misma vía y proceda a su
> destrucción.
>
> The information contained in this transmission is privileged and
> confidential information intended only for the use of the individual or
> entity named above. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution or
> copying of this communication is strictly prohibited. If you have received
> this transmission in error, do not read it. Please immediately reply to the
> sender that you have received this communication in error and then delete
> it.
>
> Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário,
> pode conter informação privilegiada ou confidencial e é para uso exclusivo
> da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário
> indicado, fica notificado de que a leitura, utilização, divulgação e/ou
> cópia sem autorização pode estar proibida em virtude da legislação vigente.
> Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique
> imediatamente por esta mesma via e proceda a sua destruição
>
> --
> Fernando López Aguilar
> FIWARE Cloud & Platform Senior Expert
> M. +49 1522 2600767
> fernando.lopez at fiware.org
> www.fiware.org
> Twitter: @fiware <https://twitter.com/fiware> @flopezaguilar
> <https://twitter.com/flopezaguilar>
>
> <https://nexus.lab.fiware.org/fiware.signature>
>
>
>
> __________________________________________________________________________________________
>
> You can get more information about our cookies and privacy policies on the
> following links:
> - https://wiki.fiware.org/FIWARE_Privacy_Policy
> - https://wiki.fiware.org/Cookies_Policy_FIWARE
>
>
> fiware-technical-committee mailing list
> fiware-technical-committee at lists.fiware.org
>
> To unsubscribe from fiware-technical-committee mailing list, go to the
> information page of the list at:
> https://lists.fiware.org/listinfo/fiware-technical-committee
>
>
--
Johnny Westerlund
Solution Architect
Red Hat EMEA <https://www.redhat.com/>
jwesterl at redhat.com
M: +46761049925
@RedHat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
<https://www.redhat.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image050.png
Type: image/png
Size: 41214 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0026.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image051.png
Type: image/png
Size: 38880 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0027.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image052.png
Type: image/png
Size: 40927 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0028.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image053.png
Type: image/png
Size: 37587 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0029.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image054.png
Type: image/png
Size: 36283 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0030.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image055.png
Type: image/png
Size: 39280 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0031.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image056.png
Type: image/png
Size: 41118 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0032.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image057.png
Type: image/png
Size: 36514 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0033.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image058.png
Type: image/png
Size: 37675 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0034.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image059.png
Type: image/png
Size: 36050 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0035.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image060.png
Type: image/png
Size: 39231 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0036.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image061.png
Type: image/png
Size: 36814 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0037.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image062.png
Type: image/png
Size: 38929 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0038.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image063.png
Type: image/png
Size: 37394 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0039.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image064.png
Type: image/png
Size: 43244 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0040.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image065.png
Type: image/png
Size: 41632 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0041.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image066.png
Type: image/png
Size: 43751 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0042.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image067.png
Type: image/png
Size: 41269 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0043.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image068.png
Type: image/png
Size: 43447 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0044.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image069.png
Type: image/png
Size: 41601 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0045.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image070.png
Type: image/png
Size: 40042 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0046.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image071.png
Type: image/png
Size: 41434 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0047.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image072.png
Type: image/png
Size: 36680 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0048.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image073.png
Type: image/png
Size: 37592 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0049.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image049.png
Type: image/png
Size: 8201 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0050.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Foundation-logo.png
Type: image/png
Size: 8201 bytes
Desc: not available
URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211217/ef8e4767/attachment-0051.png>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy