Page Comparison

Target version 2.17.1: https://logging.apache.org/log4j/2.x/changes-report.html#a2.17.1

Following tickets opened:

• AAI-3431 - AAI status (4 components with log4j) COMPLETE
  • aai-graph-admin, aai-resources, aai-traversal, aai-common : log4j <2.17.1 Direct dependencies updated
• DMAAP-1704 - DMAAP status (1 component with log4j) COMPLETE
  • dmaap-messagerouter-messageservice: log4j <2.17.1 Direct dependencies updated
• SDNC-1655 - SDNC status (1 component with log4j)
  • sdnc-oam: log4j 1.2.17 Direct dependency -> Dan created a ticket for an upgrade in Istanbul with low priority (https://jira.onap.org/browse/SDNC-1591) – “data-migrator needs to be migrated from log4j to log4j2 - which mostly entails just updating properties file and command line arguments in run script. Note: data-migrator is not currently used”. I have increased priority to high and added fixed version: Istanbul Maintenance release + comment under the ticket on the need to migrate to log4j-core 2.17.1.
• VNFSDK-827 - VNFSDK status (1 component with log4j)
  • vnfsdk-ves-agent: no scans for Istanbul branch -> as per Kanagaraj’s email sent on 24th of August, he mention that vnfsdk-ves-agent is not an active VNFSDK repo, so I have sent him an e-mail today to configure his jjb file accordingly.
• Restricted Wiki for Istanbul Maintenance release created
• CVE creation: no need to do it, simply we will document in the Release Notes repos that were impacted and fixed (direct) and document transitive dependencies. CVE is raised for vulnerability discovered in the code.
• ONAP CVEs opened so far: https://docs.onap.org/projects/onap-osa/en/latest/osalist.html
• Meeting deck includes vulnerable log4j findings from Trivy, Kubescape and NexusIQ scans

Bob presented phased approach for security logging which was consulted with SECCOM team.

ONAP Security Event Management

Meeting time blocked for recurring logging calls on Fridays at 3PM UTC. Email Amy Zwarico or the SECCOM mailing list to be added to the invitation