Hi These are the once I directly know about. I think there are not more. - /srv/tomcat/webapps/rhn/WEB-INF/classes/log4j.properties (tomcat) - /usr/share/rhn/classes/log4j.properties (taskomatic) - /usr/share/rhn/search/classes/log4j.properties (search daemon) Am Dienstag, 14. Dezember 2021, 10:34:22 CET schrieb Crefeld, Tobias LKV Bayern e.V.:

Hi,

although it's unlikely that this configuration got changed in our installation, I'd like to check it. Can someone tell me which file contains the log4j configuration?

TIA!

Regards, Tobias Crefeld.

-----Ursprüngliche Nachricht----- Von: Johannes Renner [mailto:jrenner@suse.de] Gesendet: Montag, 13. Dezember 2021 15:52 An: uyuni-users@opensuse.org; uyuni-announce@opensuse.org Betreff: Log4Shell announcement (CVE-2021-44228)

Dear Uyuni users,

With regard to the latest publication of the Log4Shell vulnerability [1], we can announce that as to our current knowledge Uyuni installations are not affected.

Log4j is used in Uyuni, but we are shipping version 1.2.17 (from openSUSE Leap 15.3) which apparently is showing that specific problem only when it is configured to use JMSAppender [2]. This is not the case in Uyuni as long as the log4j configuration has not manually been changed to use it. A general fix for the 1.2.17 package is currently being worked on and should become available soon.

Best regards, Johannes Renner

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-44228 [2] https://access.redhat.com/security/cve/CVE-2021-4104

-- Regards Michael Calmer -------------------------------------------------------------------------- Michael Calmer SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, D-90409 Nuernberg T: +49 (0) 911 74053 0 F: +49 (0) 911 74053575 - e-mail: Michael.Calmer@suse.com -------------------------------------------------------------------------- SUSE Software Solutions Germany GmbH, GF: Ivo Totev (HRB 36809, AG Nürnberg)