log4j vulnerbilities #5503

RG00334999 · 2021-12-15T17:07:10Z

RG00334999
Dec 15, 2021

is log4j vulnerbilities impacted in StaCKSTORM?

Dec 15, 2021

No.
StackStorm is a Python-based system. It doesn't use or rely on Log4j.
This way it's not impacted by the Java Log4J vulnerabilities.

View full answer

arm4b · 2021-12-15T17:59:18Z

arm4b
Dec 15, 2021

No.
StackStorm is a Python-based system. It doesn't use or rely on Log4j.
This way it's not impacted by the Java Log4J vulnerabilities.

8 replies

arm4b Dec 15, 2021

st2 v2.6 is 4 years old and is affected by the other 3 vulnerabilities discovered in the StackStorm itself:
https://stackstorm.com/security/ with the latest found in v3.5.

I'd recommend planning to migrate to the latest StackStorm v3.6.0 version which is known to have no security issues at this moment.

RG00334999 Dec 15, 2021
Author

Thanks much for your inputs...so log4j is not the concern for now...
and for upgrade..we will definately plan for upgrade but before that couple of questions...

can we directly upgrade from v2.6 to v3,5?
2)Also, please help me with any guide which we can follow during upgrade

really appreciate if you can help me with other steps...i am new in stackstorm and I would like to learn stackstorm closely

arm4b Dec 15, 2021

There are upgrade notes: https://docs.stackstorm.com/upgrade_notes.html as well as version-to-version migration recommendations: https://docs.stackstorm.com/install/upgrades.html#version-specific-changes-migration-scripts

But going from v2.6 to v3.6 won't be easy as the system was reworked in many areas, including the change of workflow engine, change in the packaging, python 2 -> 3 change.

Perhaps instead of an in-place update, installing a fresh stackstorm v3.6 environment and starting copying the logic and packs from old to the new system would be a better strategy.

When the new system (v3.6) finally works as expected, you call it production-ready and shut down the old one (v2.6).

RG00334999 Dec 16, 2021
Author

for now our environmnet is on v2.6, upgrade will take couple of months as we have to do study little bit more.
meanwhile can you please help me with the v2.6 guide and installer as we have to do ready one more servers to manage our load in existing environmnet

RG00334999 Dec 16, 2021
Author

Another topic-
we have one environment in version 3.2 if you can share doc for that version too, what we feel in newer version 3.6 not all the components like misterl is availbale

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

log4j vulnerbilities #5503

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 8 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

log4j vulnerbilities #5503

RG00334999 Dec 15, 2021

Replies: 1 comment · 8 replies

arm4b Dec 15, 2021

arm4b Dec 15, 2021

RG00334999 Dec 15, 2021 Author

arm4b Dec 15, 2021

RG00334999 Dec 16, 2021 Author

RG00334999 Dec 16, 2021 Author

RG00334999
Dec 15, 2021

Replies: 1 comment 8 replies

arm4b
Dec 15, 2021

RG00334999 Dec 15, 2021
Author

RG00334999 Dec 16, 2021
Author

RG00334999 Dec 16, 2021
Author