log4j CVE not being reflected in the charm
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Graylog Charm |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hi all,
I have been working on with a user on the graylog charm wrt CVE-2021-44228.
By default, the CVE is applied as per version 2.5.2 and rev 28 of the snap
When we specify jvm_heap_size parameter in the charm, this then adds the file /var/snap/
Below is the contents of this file, when we have jvm_heap_size=2G
~~~
# Path to the java executable.
JAVA=/usr/bin/java
# Default Java options for heap and garbage collection.
GRAYLOG_
# Pass some extra args to graylog-server. (i.e. "-d" to enable debug mode)
GRAYLOG_
# Program that will be used to wrap the graylog-server command. Useful to
# support programs like authbind.
GRAYLOG_
~~~
We can see from the above, the config option of "-Dlog4j2.
I have tested this on the newest graylog-50 charm, and the issue is still there
Related branches
- 🤖 prod-jenkaas-bootstack (community): Needs Fixing (continuous-integration)
- Drew Freiberger (community): Approve
- BootStack Reviewers: Pending requested
-
Diff: 124 lines (+35/-7)4 files modifiedsrc/lib/charms/layer/graylog/snap_change.py (+3/-0)
src/reactive/graylog.py (+24/-1)
src/tests/functional/tests/tests.yaml (+1/-1)
src/tests/unit/test_graylog.py (+7/-5)
tags: | added: sts |
Changed in charm-graylog: | |
status: | New → Fix Released |
milestone: | none → 21.10 |