[opencms-dev] Docker-OpenCms / log4j Vulnerability

Mon Mar 7 08:32:30 CET 2022

Hi all,

I was looking for a new CMS and thought to give OpenCms a try. I've set 
it up using docker and all is running easily.

Then I followed the instructions to migrate log4j from 2.16.0 to the 
latest 2.17.2. This worked, but after stopping and starting the 
container again, the old 2.16.0 reappeared.

Before starting the container:

$ sudo find data/|grep log4j
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.17.2.jar
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.17.2.jar
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.17.2.jar
data/tomcat-webapps/ROOT/WEB-INF/classes/log4j2.xml

Starting the container:

...
opencms    | SLF4J: Class path contains multiple SLF4J bindings.
opencms    | SLF4J: Found binding in 
[jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
opencms    | SLF4J: Found binding in 
[jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
opencms    | SLF4J: See 
http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
opencms    | SLF4J: Actual binding is of type 
[org.apache.logging.slf4j.Log4jLoggerFactory]
...

After starting the container:

$ sudo find data/|grep log4j
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.17.2.jar
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.17.2.jar
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.16.0.jar
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.16.0.jar
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.16.0.jar
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.17.2.jar
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar
data/tomcat-webapps/ROOT/WEB-INF/classes/log4j2.xml

So I wonder whether this is ok, or if not, how to permanently remove the 
2.16.0 jars?

Regards
Werner