Subject:
No Quantastor does not use log4j, no QuantaStor changes are required for this CVE.
Details:
The one area that we use Java in the QuantaStor system is with the web management interface which uses Apache Tomcat as the back-end web server. Fortunately we're using the default JULI logging system rather than the security compromised log4j logging system.
You can see the default documentation here which outlines JULI is used by default for Tomcat and it requires special steps to get Tomcat to use log4j.
(https://tomcat.apache.org/tomcat-8.0-doc/logging.html#Using_Log4j)
We don't use log4j so there should be no action required to address this CVE in QuantaStor installs. We confirmed this is the case by double-checking the conf/logging.properties and conf/catalina.properties files which all show we're using JULI rather than log4j.
conf/logging.properties:handlers =
1catalina.org.apache.juli.AsyncFileHandler,
2localhost.org.apache.juli.AsyncFileHandler,
3manager.org.apache.juli.AsyncFileHandler,
4host-manager.org.apache.juli.AsyncFileHandler,
java.util.logging.ConsoleHandler
conf/logging.properties:.handlers =
1catalina.org.apache.juli.AsyncFileHandler,
java.util.logging.ConsoleHandler
conf/logging.properties:1catalina.org.apache.juli.AsyncFileHandler.level
= FINE
conf/logging.properties:1catalina.org.apache.juli.AsyncFileHandler.directory
= ${catalina.base}/logs
conf/logging.properties:1catalina.org.apache.juli.AsyncFileHandler.prefix
= catalina.
conf/logging.properties:2localhost.org.apache.juli.AsyncFileHandler.level
= FINE
conf/logging.properties:2localhost.org.apache.juli.AsyncFileHandler.directory
= ${catalina.base}/logs
conf/logging.properties:2localhost.org.apache.juli.AsyncFileHandler.prefix
= localhost.
conf/logging.properties:3manager.org.apache.juli.AsyncFileHandler.level
= FINE
conf/logging.properties:3manager.org.apache.juli.AsyncFileHandler.directory
= ${catalina.base}/logs
conf/logging.properties:3manager.org.apache.juli.AsyncFileHandler.prefix
= manager.
conf/logging.properties:4host-manager.org.apache.juli.AsyncFileHandler.level
= FINE
conf/logging.properties:4host-manager.org.apache.juli.AsyncFileHandler.directory
= ${catalina.base}/logs
conf/logging.properties:4host-manager.org.apache.juli.AsyncFileHandler.prefix
= host-manager.
conf/logging.properties:java.util.logging.ConsoleHandler.formatter =
org.apache.juli.OneLineFormatter
conf/logging.properties:org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers
= 2localhost.org.apache.juli.AsyncFileHandler
conf/logging.properties:org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers
= 3manager.org.apache.juli.AsyncFileHandler
conf/logging.properties:org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers
= 4host-manager.org.apache.juli.AsyncFileHandler
Comments