Solved

log4j vulnerability

  • 12 December 2021
  • 9 replies
  • 8754 views

Userlevel 2
Badge +11

I haven’t noticed any messages or communications regarding the recent log4j vulnerability (CVE-2021-44228). Does Nutanix have some formal announcement for customers on the status of this threat as it relates to their product portfolio? 

icon

Best answer by TeixeiraPaulo 13 December 2021, 02:36

View original

This topic has been closed for comments

9 replies

Hey folks,

 

in this doc there are some information about theme.

https://download.nutanix.com/alerts/Security_Advisory_0023.pdf

 

 

Any Updates ? The PDF doesn't Update itself.

Hello, somehow I’m missing some updates from nutanix in terms of which products are now finally affected or not and what steps should be done.
Other vendors like vmware are frankly much better prepared in terms of spreading updates and how to fix 

Userlevel 6
Badge +29

Howdy - Jon from Engineering here -

 

The PDF at that link will be updated at least once per day until we’ve got this driven completely to ground.

 

Also, you should be getting an email blast from the support portal if you have a user account there. 

 

IMHO, the security alerts should be out-out, meaning you should get them automagically unless you’ve specifically turned them off, here: https://portal.nutanix.com/page/subscriptions

 

example: Here’s a screenshot of the alert that I got when this first went out.

 

Userlevel 2
Badge +5

Jon, thanks for the update. The PDF says nothing about Community Edition and does not list specific versions of vulnerable products. Not all clusters will be running on latest LTS/STS.

Also if Prism Central (all versions) is vulnerable, does that mean that Prism Element is also vulnerable?

Userlevel 6
Badge +29

Jon, thanks for the update. The PDF says nothing about Community Edition and does not list specific versions of vulnerable products. Not all clusters will be running on latest LTS/STS.

Also if Prism Central (all versions) is vulnerable, does that mean that Prism Element is also vulnerable?

@Waddles → You bring up good points, thanks for reaching out.

RE not listing specific versions: We do say “All Supported Versions”, but you’re right, we should be more specific. What we’re referring to, specifically, is supported versions as defined by our EOL schedules, here: 

PC: https://download.nutanix.com/misc/PC_EOL/PC_EOL.pdf
AOS: https://download.nutanix.com/misc/AOS_EOL/AOS_EOL.pdf
Files: https://download.nutanix.com/misc/FILES_EOL/FILES_EOL.pdf
General End of Life Policies: https://www.nutanix.com/support-services/product-support/support-policies-and-faqs?show=accordion-0

 

I’ve asked the team to add a reference to these links in the SA so its clear for everyone.

 

About CE → Another good point, It is not impacted and I’ve asked the team to add a line i.e. AOS (CE) Not Impacted. 

 

Prism Element is just the UI for AOS, so it falls under AOS line item. I’ll see if we can make that more clear too

Userlevel 6
Badge +29

Jon, thanks for the update. The PDF says nothing about Community Edition and does not list specific versions of vulnerable products. Not all clusters will be running on latest LTS/STS.

Also if Prism Central (all versions) is vulnerable, does that mean that Prism Element is also vulnerable?

v1.6 now posted, which calls out CE not impacted, and now we’ve got specific links to supported versions to clarify that. We’ve also added a clarification for Prism Element, which was all based on your feedback. Thanks for the contribution.

 

Cheers,

Jon

Userlevel 2
Badge +5

Thanks Jon. I did my own scan using 

$ find / -xdev -name '*.jar' 2>/dev/null | xargs -I FILE sh -c "if zipgrep '^version=2' FILE '*log4j*' 2>/dev/null; then echo found in FILE; fi"

and found the library is only used in Prism Central for elasticsearch. Hopefully that command may be useful as a general purpose search in case people need it for other applications.

In the absence of a mitigation strategy, can you confirm that elasticsearch is only accessible through authenticated API calls and is not listening on a port that is accessible on a LAN address?

Userlevel 6
Badge +29

I’ll do you one better, Elasticsearch isn’t used at all, that package was added a long time ago and never got deleted. We’re removing it in 2021.9.0.3