log4j bug - CVE-2021-44228

Message from Catherine

Proposal:

• Use SECCOM, or form a working group, to scope the issue within ONAP:
• identify the necessary changes
• develop a validation test plan, including automated regression testing
• develop an implementation plan (who, what, when)
• socialize with PTLs and TSC and develop consensus
• Devote all available resources to implementing and validating the fix on main, including setting aside work on Jakarta, if necessary
• Cherry pick changes to Istanbul and re-test
• Update Istanbul documentation/release notes, as necessary 
• Generate a maintenance release as quickly as possible, without shortcutting validation of the fix

• https://docs.docker.com/engine/scan/

• https://logging.apache.org/log4j/2.x/security.html

• Krzysztof Opasiak -Dlog4j2.formatMsgNoLookups=true

#AGREED the TSC approves remediating log4j as the top priority for the ONAP community requiring immediate action to correct in both Istanbul and master branches.

ONAP Vulnerability Management

•  Krzysztof Opasiak will file a CVE on ONAP's behalf (as soon as the list of projects are all confirmed at a minimum
•  SECCOM to present the action plan to the next PTL call on 12/20
•  SECCOM will create the JIRA tickets for the impacted projects in order to solve it as part of the Istanbul maintenance release and the Jakarta release. They will track to completion, supported by our release manager, David McBride  and the Integration Team (through the Docker Scan) 

David McBride

Release Status Weekly Update

#AGREED The log4j vulnerability will mandate an Istanbul maintenance release. The maintenance release should be limited to log4j remediation only.

cl664y@att.com - no changes to Jakarta release schedule due to focus on log4j issue for now.  Continue to monitor progress on the issue and re-evaluate as we approach M2 in January.

Jessica Gonzalez

• VVP & VNFRQTs No PTL. No Volunteers.
  • Where do we move 3GPP VES specification ownership?
  • Final call email is sent and a decision to move to unmaintained after the Jan. DTF event - FINAL CALL to support the ONAP VNFREQS, VVP Projects
    
    
• OOM down to one Committer (Krzysztof Opasiak finishing his PhD ) - Thank you Krzysztof Opasiak  for all your contribution - wishing you all the best 
  • OOM PTL please review the list of contributors and identify who from the community to promote
    
    
• E2E Network slicing leadership vacancy
  • N.K. Shankaranarayanan has been reaching out to help establish new leadership for the use case.

Ranny Haiby 
Brandon Wick

LFN + ONAP Marketing Update 

•  Brandon Wick upload a PDF of the slides presented by Brandon today to these minutes 16 Dec 2021

ONAP Marketing update 121621.pptx

cl664y@att.com

Kenny Paul

• LF's Diversity, Equity & Inclusion report
• TSC meetings canceled for Dec 23 & 30th.
• PTL meetings canceled for Dec 27 & Jan 3
• LFN Developer and Testing Forum, Jan. 10-13, 2022 (4h topics + 30 mins break)/day , Virtual Event 
  • Registration: https://community.lfnetworking.org/events/details/linux-foundation-lfn-developer-testing-forums-presents-lfn-developer-testing-forum-january-2022/
    

  • Sessions Page 

  • ONAP Community Program Committee Leads: Ranny Haiby , Timo Perala - Thank you  
• Open Networking & Edge Executive Forum (ONEEF)
  • Q1/Q2 Virtual
• LFN Developer & Testing Forum, Week of June 13th 2022
  • Physical Event
  • Porto, Portugal