I haven\u2019t noticed any messages or communications regarding the recent log4j vulnerability (CVE-2021-44228). Does Nutanix have some formal announcement for customers on the status of this threat as it relates to their product portfolio?\u00a0<\/p>","quoteUsername":"mandg","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

就像
报价
分享

本主题已关闭供评论

9回复

TeixeiraPaulo
“航行者”号
1回复
9天前
2021年12月13日
回答

嘿,伙计们,

在这个文档中有一些关于主题的信息。

https://download.nutanix.com/alerts/Security_Advisory_0023.pdf

eric.vorwald - 59235
“航行者”号
1回复
8天前
2021年12月13日

任何更新吗?PDF不会自动更新。

emu0099
“航行者”号
1回复
8天前
2021年12月13日

你好，不知怎么的，我错过了nutanix的一些更新，关于哪些产品现在最终受影响或不受影响，以及应该采取哪些步骤。
其他供应商，比如vmware，坦白地说，在传播更新和如何修复方面准备得更好

Hello, somehow I\u2019m missing some updates from nutanix in terms of which products are now\u00a0finally affected or not and what steps should be done.
Other vendors like vmware are frankly much better prepared in terms of spreading updates and how to fix\u00a0<\/p>","quoteUsername":"emu0099","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

Userlevel 6

+ 29

乔恩
Nutanix员工
567回复
8天前
2021年12月13日

你好，我是工程部的乔恩

在这个链接上的PDF将至少每天更新一次，直到我们把这个驱动完全接地。

此外，如果你在那里有用户帐户，你应该收到支持门户网站的大量邮件。

恕我直言，是安全警报应该out，意思是你应该自动获得它们，除非你已经明确地关闭它们，这里:https://portal.nutanix.com/page/subscriptions

例子:这是我第一次收到警报时的截图。

JonKohler |技术总监，工程，Nutanix | Nutanix NPX #003, VCDX #116 | @JonKohler |如果有用请赞美!

Howdy - Jon from Engineering here -<\/p>

\u00a0<\/p>

The PDF at that link will be updated at least once per day until we\u2019ve got this driven completely to ground.<\/p>

\u00a0<\/p>

Also, you should be getting an email blast from the support portal if you have a user account there.\u00a0<\/p>

\u00a0<\/p>

IMHO, the security alerts\u00a0should<\/em><\/strong>\u00a0be out-out, meaning you should get them automagically unless you\u2019ve specifically turned them off, here:\u00a0https:\/\/portal.nutanix.com\/page\/subscriptions<\/a><\/p>

\u00a0<\/p>

example: Here\u2019s a screenshot of the alert that I got when this first went out.<\/p>

\"//www.jhbzcj.com/next/how-it-works-22/\"

W

Userlevel 2

＋5

背着

领导流行的人

42个回复

8天前
2021年12月14日

乔恩，谢谢你的最新消息。PDF没有提到Community Edition，也没有列出易受攻击的产品的具体版本。并不是所有的集群都运行在最新的LTS/STS上。

如果Prism Central(所有版本)是脆弱的，那是否意味着Prism Element也是脆弱的?

Jon, thanks for the update. The PDF says nothing about Community Edition and does not list specific versions of vulnerable products. Not all clusters will be running on latest LTS\/STS.<\/p>
Also if Prism Central (all versions) is vulnerable, does that\u00a0mean that Prism Element is\u00a0also vulnerable?<\/p>","quoteUsername":"waddles","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

就像

报价

Userlevel 6

+ 29

乔恩

Nutanix员工

567回复

7天前
2021年12月14日

乔恩，谢谢你的最新消息。PDF没有提到Community Edition，也没有列出易受攻击的产品的具体版本。并不是所有的集群都运行在最新的LTS/STS上。

如果Prism Central(所有版本)是脆弱的，那是否意味着Prism Element也是脆弱的?

@Waddles→你提出了很好的观点，谢谢你的帮助。

RE没有列出具体的版本:我们说“所有支持的版本”，但你是对的，我们应该更具体。我们所指的，具体来说，是由我们的EOL时间表定义的受支持的版本，在这里:

PC:https://download.nutanix.com/misc/PC_EOL/PC_EOL.pdf
代谢:https://download.nutanix.com/misc/AOS_EOL/AOS_EOL.pdf
文件:https://download.nutanix.com/misc/FILES_EOL/FILES_EOL.pdf
一般生命终止政策://www.jhbzcj.com/support-services/product-support/support-policies-and-faqs?show=accordion-0

我已经要求团队在SA中添加对这些链接的引用，以便每个人都清楚。

关于CE→另一个好点，它没有受到影响，我已经要求团队添加一行，即AOS (CE)没有受到影响。

Prism元素只是AOS的UI，所以它属于AOS行项目。我看看我们能不能把这一点讲清楚

JonKohler |技术总监，工程，Nutanix | Nutanix NPX #003, VCDX #116 | @JonKohler |如果有用请赞美!

\t
Jon, thanks for the update. The PDF says nothing about Community Edition and does not list specific versions of vulnerable products. Not all clusters will be running on latest LTS\/STS.<\/p>\t
Also if Prism Central (all versions) is vulnerable, does that\u00a0mean that Prism Element is\u00a0also vulnerable?<\/p>\t<\/div><\/content-quote>
@Waddles \u2192\u00a0You bring up good points, thanks for reaching out.<\/p>
RE not listing specific versions: We do say \u201cAll Supported Versions\u201d, but you\u2019re right, we should be more specific. What we\u2019re referring to, specifically, is supported versions as defined by our EOL schedules, here:\u00a0<\/p>
PC:\u00a0https:\/\/download.nutanix.com\/misc\/PC_EOL\/PC_EOL.pdf<\/a>
AOS:\u00a0 https:\/\/download.nutanix.com\/misc\/AOS_EOL\/AOS_EOL.pdf<\/a>
Files:\u00a0 https:\/\/download.nutanix.com\/misc\/FILES_EOL\/FILES_EOL.pdf<\/a>
General End of Life Policies:\u00a0 \/\/www.jhbzcj.com\/support-services\/product-support\/support-policies-and-faqs?show=accordion-0<\/a><\/p>
\u00a0<\/p>
I\u2019ve asked the team to add a reference to these links in the SA so its clear for everyone.<\/p>
\u00a0<\/p>
About CE \u2192\u00a0Another good point, It is not impacted and I\u2019ve asked the team to add a line i.e. AOS (CE) Not Impacted.\u00a0<\/p>
\u00a0<\/p>
Prism Element is just the UI for AOS, so it falls under AOS line item. I\u2019ll see if we can make that more clear too<\/p>","quoteUsername":"Jon","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

就像

报价

Userlevel 6

+ 29

乔恩

Nutanix员工

567回复

7天前
2021年12月14日

乔恩，谢谢你的最新消息。PDF没有提到Community Edition，也没有列出易受攻击的产品的具体版本。并不是所有的集群都运行在最新的LTS/STS上。

如果Prism Central(所有版本)是脆弱的，那是否意味着Prism Element也是脆弱的?

v1.6现在发布了，它调用CE不受影响，现在我们有特定的链接到支持的版本来澄清这一点。我们还为Prism Element添加了一个澄清，这都是基于您的反馈。谢谢你的贡献。

欢呼,

乔恩

JonKohler |技术总监，工程，Nutanix | Nutanix NPX #003, VCDX #116 | @JonKohler |如果有用请赞美!

\t
Jon, thanks for the update. The PDF says nothing about Community Edition and does not list specific versions of vulnerable products. Not all clusters will be running on latest LTS\/STS.<\/p>\t
Also if Prism Central (all versions) is vulnerable, does that\u00a0mean that Prism Element is\u00a0also vulnerable?<\/p>\t<\/div><\/content-quote>
v1.6 now posted, which calls out CE not impacted, and now we\u2019ve got specific links to supported versions to clarify that. We\u2019ve also added a clarification for Prism Element, which was all based on your feedback. Thanks for the contribution.<\/p>
\u00a0<\/p>
Cheers,<\/p>
Jon<\/p>","quoteUsername":"Jon","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

就像

报价

W

Userlevel 2

＋5

背着

领导流行的人

42个回复

7天前
2021年12月15日

感谢乔恩。我自己用

$ find / -xdev -name '*.jar' 2>/dev/null | xargs -I FILE sh -c "if zipgrep '^version=2' FILE '*log4j*' 2>/dev/null;然后echo在FILE中找到;fi”

发现这个库只在棱镜中心用于elasticsearch。希望这个命令可以作为通用搜索在人们需要它的其他应用程序中发挥作用。

在没有缓解策略的情况下，您能否确认elasticsearch只能通过经过身份验证的API调用进行访问，并且没有监听LAN地址上可访问的端口?

Thanks Jon. I did my own scan using\u00a0<\/p>
$ find \/ -xdev -name '*.jar' 2>\/dev\/null | xargs -I FILE sh -c \"if zipgrep '^version=2' FILE '*log4j*' 2>\/dev\/null; then echo found in FILE; fi\"<\/code><\/pre>and found the library is only used in Prism Central for elasticsearch. Hopefully that command may be useful as a general purpose search in case people need it for other applications.<\/p> In the absence of a mitigation strategy, can you confirm that elasticsearch is only accessible through authenticated API calls and is not listening on a port that is accessible on a LAN address?<\/p>","quoteUsername":"waddles","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}"> 就像报价
Userlevel 6 + 29 乔恩 Nutanix员工 567回复 6天前 2021年12月15日我将给你一个更好的，Elasticsearch根本没有被使用，那个包是很久以前添加的，从来没有被删除过。我们将在2021.9.0.3移除它 JonKohler |技术总监，工程，Nutanix | Nutanix NPX #003, VCDX #116 | @JonKohler |如果有用请赞美! I\u2019ll do you one better, Elasticsearch isn\u2019t used at all, that package was added a long time ago and never got deleted. We\u2019re removing it in 2021.9.0.3<\/p>","quoteUsername":"Jon","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}"> 就像报价

由内报名已经有账户了?登录用你的帐户登入登录社区用你的帐户登入输入您的用户名或电子邮件地址。我们会给你发一封电子邮件，告诉你如何重置密码。用户名或电子邮件回到概述扫描文件病毒。抱歉，我们仍在检查这个文件的内容，以确保下载是安全的。请几分钟后再试。好吧无法下载此文件对不起，我们的病毒扫描程序检测到这个文件下载不安全。好吧