can you please let us know if icinga2 also affected with N Log4J CVE-2021-44228 Apache
if yes do we need to also -Dlog4j2.formatMsgNoLookups=true this parameter
This is my personal thinking about this (maybe too narrow-minded?), as I have no java stuff on my monitoring systems and Log4j 2 is a Java logging library and there is no java code in the Icinga project this CVE does not impact Icinga.
Tests for it:
maybe this helps as well to find if you have any associated files present:
find / -type f >> ~/file_list.txt && egrep "log4j|[Jj]ndi[lL]ookup" ~/file_list.txt;rm -f ~/file_list.txt
I’ve actively… let’s say… “co-developed” core, web and Icinga DB and never seen any line of java code. The only exception:
But on that you’d have to ask team Graylog.