[opencms-dev] Docker-OpenCms / log4j Vulnerability
Manfred Schenk
manfred.schenk at zerobyte.de
Mon Mar 7 10:00:49 CET 2022
Concerning security fixes in docker-based software it is better to fix the image than fixing the container, i.e. you should use a newer image where the issue is fixed instead of patching the container.
Regards
Manfred
-----Ursprüngliche Nachricht-----
Von: opencms-dev <opencms-dev-bounces at opencms.org> Im Auftrag von deburau via opencms-dev
Gesendet: Montag, 7. März 2022 08:33
An: opencms-dev at opencms.org
Cc: lists.opencms.org at flexoft.net
Betreff: [opencms-dev] Docker-OpenCms / log4j Vulnerability
Hi all,
I was looking for a new CMS and thought to give OpenCms a try. I've set it up using docker and all is running easily.
Then I followed the instructions to migrate log4j from 2.16.0 to the latest 2.17.2. This worked, but after stopping and starting the container again, the old 2.16.0 reappeared.
Before starting the container:
$ sudo find data/|grep log4j
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.17.2.jar
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.17.2.jar
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.17.2.jar
data/tomcat-webapps/ROOT/WEB-INF/classes/log4j2.xml
Starting the container:
...
opencms | SLF4J: Class path contains multiple SLF4J bindings.
opencms | SLF4J: Found binding in
[jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
opencms | SLF4J: Found binding in
[jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
opencms | SLF4J: See
http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
opencms | SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
...
After starting the container:
$ sudo find data/|grep log4j
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.17.2.jar
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.17.2.jar
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.16.0.jar
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.16.0.jar
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.16.0.jar
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.17.2.jar
data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar
data/tomcat-webapps/ROOT/WEB-INF/classes/log4j2.xml
So I wonder whether this is ok, or if not, how to permanently remove the
2.16.0 jars?
Regards
Werner
_______________________________________________
This mail is sent to you from the opencms-dev mailing list To change your list options, or to unsubscribe from the list, please visit https://lists.opencms.org/mailman/listinfo/opencms-dev
More information about the opencms-dev
mailing list