You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@fluo.apache.org by GitBox <gi...@apache.org> on 2021/12/14 17:04:19 UTC
[GitHub] [fluo-muchos] arvindshmicrosoft opened a new issue #418: Evaluate Muchos surface area for exposure to CVE-2021-44228 and remediate as needed
arvindshmicrosoft opened a new issue #418:
URL: https://github.com/apache/fluo-muchos/issues/418
Since Muchos can potentially be used to deploy and configure a cluster to use other pieces of software like Elastic Search, which does seem to be affected by [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228). We should investigate what is the extent of exposure in such cases and identify remediation (bump versions / add parameters, etc.)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] ctubbsii commented on issue #418: Evaluate Muchos surface area for exposure to CVE-2021-44228 and remediate as needed
Posted by GitBox <gi...@apache.org>.
ctubbsii commented on issue #418:
URL: https://github.com/apache/fluo-muchos/issues/418#issuecomment-995242556
> The only reason I specifically created this is to check and potentially update the version of Elastic (as added in #338) installed if the `elasticsearch` role is optionally assigned to a cluster node.
Oh, I guess I don't know enough about that. My thought is that anything a user can specify the version for in `muchos.props` is the user's responsibility. Of course, we can update the defaults in the example, but I wasn't thinking there'd be downloaded resources that couldn't be configured in this file. Would ensuring that any downloaded resources we use can have its version specified in the `muchos.props` file be sufficient to address this? Or is that already the case, and you're just concerned about the defaults?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] arvindshmicrosoft closed issue #418: Evaluate Muchos surface area for exposure to CVE-2021-44228 and remediate as needed
Posted by GitBox <gi...@apache.org>.
arvindshmicrosoft closed issue #418:
URL: https://github.com/apache/fluo-muchos/issues/418
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] ctubbsii commented on issue #418: Evaluate Muchos surface area for exposure to CVE-2021-44228 and remediate as needed
Posted by GitBox <gi...@apache.org>.
ctubbsii commented on issue #418:
URL: https://github.com/apache/fluo-muchos/issues/418#issuecomment-995081834
Shorter response: I don't think there's anything to do for this.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] arvindshmicrosoft commented on issue #418: Evaluate Muchos surface area for exposure to CVE-2021-44228 and remediate as needed
Posted by GitBox <gi...@apache.org>.
arvindshmicrosoft commented on issue #418:
URL: https://github.com/apache/fluo-muchos/issues/418#issuecomment-995262664
There is no provision to specify the version of Elastic in muchos.props. #338 added a very specific reference to the version, directly in that playbook. Hence my concern to possibly rev that version. Eventually, we could probably make these ELK stack software versions configurable but that seems overkill for now. I just want to do due diligence without expending too much effort on anyone's part.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] arvindshmicrosoft commented on issue #418: Evaluate Muchos surface area for exposure to CVE-2021-44228 and remediate as needed
Posted by GitBox <gi...@apache.org>.
arvindshmicrosoft commented on issue #418:
URL: https://github.com/apache/fluo-muchos/issues/418#issuecomment-995106504
> Shorter response: I don't think there's anything to do for this.
The only reason I specifically created this is to update the version of Elastic (as added in #338) installed if the `elasticsearch` role is optionally assigned to a cluster node.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] ctubbsii commented on issue #418: Evaluate Muchos surface area for exposure to CVE-2021-44228 and remediate as needed
Posted by GitBox <gi...@apache.org>.
ctubbsii commented on issue #418:
URL: https://github.com/apache/fluo-muchos/issues/418#issuecomment-994828981
Muchos is an internal tool used by developers of Fluo/Accumulo for cluster testing. It is not "released" software from the ASF, and as such, the Fluo PMC cannot recommend it be used in production or anywhere outside a development environment where it could be exposed to an attacker trying to exploit that CVE or any other. For the developer use cases it was written for, the tool only deploys software under the explicit control of the developer. If the developer wishes to deploy vulnerable code for the purposes of testing, that is an acceptable use case. Muchos itself doesn't depend on, or deploy log4j for its own purposes, but only deploys it as part of whatever version of Accumulo, Fluo, Hadoop, ZooKeeper, etc., that it was instructed to deploy. If those versions include a vulnerable version, they should be updated upstream. Muchos shouldn't modify them, but should deploy what it is instructed to deploy.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] arvindshmicrosoft edited a comment on issue #418: Evaluate Muchos surface area for exposure to CVE-2021-44228 and remediate as needed
Posted by GitBox <gi...@apache.org>.
arvindshmicrosoft edited a comment on issue #418:
URL: https://github.com/apache/fluo-muchos/issues/418#issuecomment-995106504
> Shorter response: I don't think there's anything to do for this.
The only reason I specifically created this is to check and potentially update the version of Elastic (as added in #338) installed if the `elasticsearch` role is optionally assigned to a cluster node.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@fluo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org