[opencms-dev] Docker-OpenCms / log4j Vulnerability
lists.opencms.org at flexoft.net
lists.opencms.org at flexoft.net
Mon Mar 7 10:07:19 CET 2022
Sure, you are right. Unfortunately, there is no newer image. Latest
official is three months old as you can see on docker hub:
https://hub.docker.com/r/alkacon/opencms-docker/tags
Am 07.03.2022 um 10:00 schrieb Manfred Schenk via opencms-dev:
> Concerning security fixes in docker-based software it is better to fix the image than fixing the container, i.e. you should use a newer image where the issue is fixed instead of patching the container.
>
> Regards
> Manfred
>
> -----Ursprüngliche Nachricht-----
> Von: opencms-dev <opencms-dev-bounces at opencms.org> Im Auftrag von deburau via opencms-dev
> Gesendet: Montag, 7. März 2022 08:33
> An: opencms-dev at opencms.org
> Cc: lists.opencms.org at flexoft.net
> Betreff: [opencms-dev] Docker-OpenCms / log4j Vulnerability
>
> Hi all,
>
> I was looking for a new CMS and thought to give OpenCms a try. I've set it up using docker and all is running easily.
>
> Then I followed the instructions to migrate log4j from 2.16.0 to the latest 2.17.2. This worked, but after stopping and starting the container again, the old 2.16.0 reappeared.
>
> Before starting the container:
>
> $ sudo find data/|grep log4j
> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.17.2.jar
> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.17.2.jar
> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.17.2.jar
> data/tomcat-webapps/ROOT/WEB-INF/classes/log4j2.xml
>
> Starting the container:
>
> ...
> opencms | SLF4J: Class path contains multiple SLF4J bindings.
> opencms | SLF4J: Found binding in
> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
> opencms | SLF4J: Found binding in
> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
> opencms | SLF4J: See
> http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
> opencms | SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
> ...
>
> After starting the container:
>
> $ sudo find data/|grep log4j
> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.17.2.jar
> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.17.2.jar
> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.16.0.jar
> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.16.0.jar
> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.16.0.jar
> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.17.2.jar
> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar
> data/tomcat-webapps/ROOT/WEB-INF/classes/log4j2.xml
>
> So I wonder whether this is ok, or if not, how to permanently remove the
> 2.16.0 jars?
>
> Regards
> Werner
>
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list To change your list options, or to unsubscribe from the list, please visit https://lists.opencms.org/mailman/listinfo/opencms-dev
>
>
>
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> https://lists.opencms.org/mailman/listinfo/opencms-dev
>
>
>
More information about the opencms-dev
mailing list