OPNsense Forum

English Forums => General Discussion => Topic started by: adk20 on December 12, 2021, 01:52:03 am

Title: log4j and OPNsense
Post by: adk20 on December 12, 2021, 01:52:03 am

Dear community,

I am almost 100 percent sure that this new vuln (CVE-2021-44228) does NOT affect OPNsense since it is AFAIK built with Python and PHP but some brief feedback from a dev would be much appreciated.

Cheers
adk

Title: Re: log4j and OPNsense
Post by: franco on December 12, 2021, 09:54:06 am

Hi there,

We don't ship it and therefore don't use it in our project.

That might not be the case for third party package repositories enabled.


Cheers,
Franco

Title: Re: log4j and OPNsense
Post by: mimugmail on December 12, 2021, 10:05:54 am

SunnyValley uses Elasticsearch, also the packages in my repo are not updated yet. There shouldnt be any risk if you only allow local access to these services

Title: Re: log4j and OPNsense
Post by: fabian on December 12, 2021, 10:40:32 am

You may be affected if you build the JDK from the ports tree / 3rd party repository and install almost any java based application (log4j is more or less the default logging framework in the Java world). There are some other loging frameworks like one integrated in the JDK and one is logback. As mimugmail suggests, ELK stack (logstash => jruby - needs to be checked, elasticsearch = Java based database server so needs to be checked) might be a topic.

Also and especially if you install any Jakarta EE Application Server / embedded server, you should check them as well.

Title: Re: log4j and OPNsense
Post by: adk20 on December 12, 2021, 12:13:42 pm

@all: Thanks for your responses.

So I take it that when I do not run Sensei or have not used any third-party repos, there should be no Java in OPNsense.

Title: Re: log4j and OPNsense
Post by: RamSense on December 12, 2021, 12:51:52 pm

Maybe you have Services: Intrusion Detection (IDS) also running what gives protection.