CVE-2021-44228 log4j version is still shown on security scan
Article ID: 376457
Updated On:
Products
VMware Integrated OpenStack
Issue/Introduction
Security scan will show log4j-core-2.13.1.jar file.
Environment
7.3
Cause
Engineering has identified that log4j-core jar file is only referenced and used at time of licensing the product.
VIO license-controller will not load javalib image to decode a new license code.
Resolution
To get rid of log4j 2.13 from /var/lib/docker
docker images|grep javalib
docker rmi <image name:tag>
(example: docker rmi docker-registry.default.svc.dvs.local:5000/vmware/vio/javalib:7.0.0.xxx)
The same works for other log4j versions that show up on vulnerability scan applicable to log4j-core jar image.
Feedback
Yes
No
Powered by
