log4j and OPNsense

Started by adk20, December 12, 2021, 01:52:03 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 12, 2021, 01:52:03 AM
Dear community,

I am almost 100 percent sure that this new vuln (CVE-2021-44228) does NOT affect OPNsense since it is AFAIK built with Python and PHP but some brief feedback from a dev would be much appreciated.

Cheers
adk
December 12, 2021, 09:54:06 AM #1
Hi there,

We don't ship it and therefore don't use it in our project.

That might not be the case for third party package repositories enabled.


Cheers,
Franco
December 12, 2021, 10:05:54 AM #2
SunnyValley uses Elasticsearch, also the packages in my repo are not updated yet. There shouldnt be any risk if you only allow local access to these services
December 12, 2021, 10:40:32 AM #3
You may be affected if you build the JDK from the ports tree / 3rd party repository and install almost any java based application (log4j is more or less the default logging framework in the Java world). There are some other loging frameworks like one integrated in the JDK and one is logback. As mimugmail suggests, ELK stack (logstash => jruby - needs to be checked, elasticsearch = Java based database server so needs to be checked) might be a topic.

Also and especially if you install any Jakarta EE Application Server / embedded server, you should check them as well.
December 12, 2021, 12:13:42 PM #4
@all: Thanks for your responses.

So I take it that when I do not run Sensei or have not used any third-party repos, there should be no Java in OPNsense.
December 12, 2021, 12:51:52 PM #5
Maybe you have Services: Intrusion Detection (IDS) also running what gives protection.
Deciso DEC850v2
Print
Go Up Pages1
User actions