Foreman and the common projects it interacts with are not impacted by CVE-2021-44228. For those who are more curious, here are the details!
There have already been questions in the Foreman Community discourse, where Foreman community members have done a good job at trying to understand the impact of CVE-2021-44228 on Foreman users. This post aims to provide additional clarity in case there are any doubts.
If you’re a Puppet user, you might want to read the official Puppet response. To summarize: Puppet is not impacted.
If you use Foreman with the Katello plugin for content management, you also have Candlepin installed which Katello uses to handle subscription management.
Candlepin switched from log4j to logback in 2013, so log4j is not shipped with Candlepin. For libraries that Candlepin depends on that use log4j for logging (such as Hibernate), we use the log4j-over-slf4j library that redirects all logging to slf4j. That means Candlepin does not depend on log4j at all. However, Tomcat (on which Candlepin runs on) on RHEL7 does have a dependency on log4j, and log4j is on Tomcat’s classpath, but that version is log4j-1.2.17-16.el7_4.noarch that is not affected (like all 1.x) by the Log4Shell vulnerability.
Additionally, a vulnerability of lesser impact Red Hat BZ#2031667 seems to affect log4j 1.x, but only if a JMS Appender has been configured, which, by default, Tomcat’s log4j.properties are not, so Candlepin/Tomcat is still not affected by this (since an attacker would need root access to configure the property file for that vulnerability to be exploitable).
Finally, the property prefix ‘log4j.logger.’ that is used for specifying granular package/class level logging levels in candlepin.conf is not a cause for concern because it is just a placeholder/string that was leftover from the time that Candlepin used log4j. The reason for not changing this is to not break existing users’ configurations.
We hope this provides adequate clarity. If you’ve any questions, please feel free to reply to this post with your comments.
If you’re interested in further analysis of log4j, why not let our one and only evgeni take you on a tour:
So reading this, I have a conceptual question around "${}" in those log strings. Besides the fact that allowing JNDI lookups in this context is bonkers, all the bypasses I've seen also imply that one can use various formatting and interpolation features?! https://t.co/hglbaOK9t3
— Evgeni Golov (@zhenech) December 11, 2021