Closed jf-marquis-Adeo closed 2 years ago
What pipeline specifically? In which directory in this repo?
@jf-marquis-Adeo the asset-inventory pipelines seem to all be python pipelines, so they don't use log4j. Can you be more specific on what needs correcting?
Hi, this information is coming from google support :
A security vulnerability, CVE-2021-44228, https://notifications.google.com/g/p/AD-FnEx8hncI0yPJlOcjOp_rjszvAYk0AYi6vqW-IzXEhO5-emxzEtNJ3m-VwVU4Z1-5WXnrBOcHWuepbw1JBxKwPAkhwKjPUnmedPp7WoOOSomXzIoITw has been disclosed in the Apache Log4j versions 2.0 to 2.14.1 and Dataflow users may be vulnerable to Log4j 2 under certain circumstances. Specifically, users that meet the following criteria should take immediate action:
did i miss something ?
Jean-François MARQUIS
Head of Operations
Global Tech & Data Platform
ADEO Services
135 rue Sadi Carnot • CS 00001 • 59790 Ronchin • FRANCE
Le mer. 15 déc. 2021 à 15:55, Tim Sell @.***> a écrit :
@jf-marquis-Adeo https://github.com/jf-marquis-Adeo the asset-inventory pipelines seem to all be python pipelines, so they don't use log4j. Can you be more specific on what needs correcting?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/GoogleCloudPlatform/professional-services/issues/736#issuecomment-994870001, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJV7DTTEAQCRFHCHGYYWDXLURCT67ANCNFSM5KC4AVTQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
Sorry for the confusing regarding that notice -- the notice only applies to applications/services/pipelines/etc. that are Java-based. In the case of the asset-inventory tool, as mentioned by @tims, it is purely Python code and thus not subject to the Java-specific log4j vuln.
Thanks Jean-François. I understand that all three conditions need to be satisfied for the vulnerability to be present. Since the pipeline is a python pipeline, it certainly doesn't contain any log4j dependency so we shouldn't be vulnerable.
I will see about upgrading the pipeline version anyways and if it's easy I'll commit the change in a few days. Thanks Ben
Thanks a lot Have a nice day Best regards
Envoyé de mon iPhone
Le 15 déc. 2021 à 19:57, bmenasha @.***> a écrit :
Thanks Jean-François. I understand that all three conditions need to be satisfied for the vulnerability to be present. Since the pipeline is a python pipeline, it certainly doesn't contain any log4j dependency so we shouldn't be vulnerable.
I will see about upgrading the pipeline version anyways and if it's easy I'll commit the change in a few days. Thanks Ben
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.
Closing this issue and it seems like the main reason why this was opened have been addressed.
Google Cloud is actively following the security vulnerability in the open-source Apache “Log4j 2" utility (CVE-2021-44228). We are currently assessing the potential impact of the vulnerability for Google Cloud products and services. This is an ongoing event and we will continue to provide updates through our customer communications channels.
A security vulnerability, CVE-2021-44228, has been disclosed in the Apache Log4j versions 2.0 to 2.14.1 and Dataflow users may be vulnerable to Log4j 2 under certain circumstances. Specifically, users that meet the following criteria should take immediate action: @bmenasha can you correct it please ? thanks a lot