What are the Slack Archives?
Itβs a history of our time together in the Slack Community! Thereβs a ton of knowledge in here, so feel free to search through the archives for a possible answer to your question.
Because this space is not active, you wonβt be able to create a new post or comment here. If you have a question or want to start a discussion about something, head over to our categories and pick one to post in! You can always refer back to a post from Slack Archives if needed; just copy the link to use it as a reference..
Any knowledge about if log4j2 is used in Spryker by default? I tried some payloads in Elasticsearch
Any knowledge about if log4j2 is used in Spryker by default? I tried some payloads in Elasticsearch and passing them through Jenkins and it seems fine so far, but I am not a Security Professional so I dont really know what I am doing... I just threw some payloads at it π
Comments
-
For what its worth: Both Jenkins and ES say that their programs aren't vulnerable. But Cloudflare says on their blog some of their ES instances are vulnerable... So idk
Sources:
β’ jenkins.io/blog/2021/12/10/log4j2-rce-CVE-2021-44228/
β’ https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
β’ https://blog.cloudflare.com/how-cloudflare-security-responded-to-log4j2-vulnerability/0 -
Spryker is a PHP application so there is no Java. For infrastructure (depending ou your setup) like Elastic Search you need to check with the vendor as it is not created or maintained by Spryker.
0 -
If you self host, sure. But for PaaS customers as well as people that base their infra on the official docker images, this info would be appreciated. I will obviously check myself further.
So far it seems fine anyway π I am not t worried
0 -
fsmeier Senior Software Engineer & Developer Enablement Advocate Sprykee Posts: 1,051 βοΈ - Guardians (admin)Good morning @U01TZ93MPSQ,
I think we are not affected. But the responsible Spryker team is looking into it to make sure we are really not affected (especially ES). I think we will have some official information at some point today. I keep you posted once I know more. :crossed_fingers:0 -
I believe AWS managed services are described by Amazon here - https://aws.amazon.com/security/security-bulletins/AWS-2021-006/.
0 -
Guido X Jansen Global Business & Technology Evangelist Sprykee Posts: 424 βοΈ - Guardians (admin)Thx Florian!
0 -
Are there any plans / timelines on updating the docker-sdk to include the recommended 7.16.2 version of elasticsearch?
0 -
@florian.scholz @valerii.trots: Happy new year π Any news regarding the docker sdk?
0 -
Happy New Year! We've got no response internally yet unfortunately.
0
Categories
- All Categories
- 42 Getting Started & Guidelines
- 7 Getting Started in the Community
- 8 Additional Resources
- 7 Community Ideas and Feedback
- 66 Spryker News
- 883 Developer Corner
- 747 Spryker Development
- 83 Spryker Dev Environment
- 360 Spryker Releases
- 3 Oryx frontend framework
- 33 Propel ORM
- 68 Community Projects
- 3 Community Ideation Board
- 30 Hackathon
- 3 PHP Bridge
- 6 Gacela Project
- 22 Job Opportunities
- 3.2K π Slack Archives
- 116 Academy
- 5 Business Users
- 370 Docker
- 551 Slack General
- 2K Help
- 75 Knowledge Sharing
- 6 Random Stuff
- 4 Code Testing
- 32 Product & Business Questions
- 67 Spryker Safari Questions
- 50 Random