Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
log4j and OPNsense
« previous
next »
Print
Pages: [
1
]
Author
Topic: log4j and OPNsense (Read 6482 times)
adk20
Newbie
Posts: 46
Karma: 3
log4j and OPNsense
«
on:
December 12, 2021, 01:52:03 am »
Dear community,
I am almost 100 percent sure that this new vuln (CVE-2021-44228) does NOT affect OPNsense since it is AFAIK built with Python and PHP but some brief feedback from a dev would be much appreciated.
Cheers
adk
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: log4j and OPNsense
«
Reply #1 on:
December 12, 2021, 09:54:06 am »
Hi there,
We don't ship it and therefore don't use it in our project.
That might not be the case for third party package repositories enabled.
Cheers,
Franco
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: log4j and OPNsense
«
Reply #2 on:
December 12, 2021, 10:05:54 am »
SunnyValley uses Elasticsearch, also the packages in my repo are not updated yet. There shouldnt be any risk if you only allow local access to these services
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: log4j and OPNsense
«
Reply #3 on:
December 12, 2021, 10:40:32 am »
You may be affected if you build the JDK from the ports tree / 3rd party repository and install almost any java based application (log4j is more or less the default logging framework in the Java world). There are some other loging frameworks like one integrated in the JDK and one is logback. As mimugmail suggests, ELK stack (logstash => jruby - needs to be checked, elasticsearch = Java based database server so needs to be checked) might be a topic.
Also and especially if you install any Jakarta EE Application Server / embedded server, you should check them as well.
Logged
adk20
Newbie
Posts: 46
Karma: 3
Re: log4j and OPNsense
«
Reply #4 on:
December 12, 2021, 12:13:42 pm »
@all: Thanks for your responses.
So I take it that when I do not run Sensei or have not used any third-party repos, there should be no Java in OPNsense.
Logged
RamSense
Hero Member
Posts: 595
Karma: 10
Re: log4j and OPNsense
«
Reply #5 on:
December 12, 2021, 12:51:52 pm »
Maybe you have Services: Intrusion Detection (IDS) also running what gives protection.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
log4j and OPNsense