[opencms-dev] Docker-OpenCms / log4j Vulnerability

Jochen Graf j.graf at alkacon.com
Mon Mar 7 10:50:47 CET 2022 

Hi Werner,

if you still want the latest log4j 2.17 version with your Docker image, 
manually replacing the libs should work.

Maybe there is just a problem with order? Important is first to stop the 
container and then delete the log4j libs. If you try to delete the libs 
in a running container they will re-appear.

Best

Jochen

Am 07.03.22 um 10:07 schrieb deburau via opencms-dev:
> Sure, you are right. Unfortunately, there is no newer image. Latest 
> official is three months old as you can see on docker hub: 
> https://hub.docker.com/r/alkacon/opencms-docker/tags
>
>
> Am 07.03.2022 um 10:00 schrieb Manfred Schenk via opencms-dev:
>> Concerning security fixes in docker-based software it is better to 
>> fix the image than fixing the container, i.e. you should use a newer 
>> image where the issue is fixed instead of patching the container.
>>
>> Regards
>> Manfred
>>
>> -----Ursprüngliche Nachricht-----
>> Von: opencms-dev <opencms-dev-bounces at opencms.org> Im Auftrag von 
>> deburau via opencms-dev
>> Gesendet: Montag, 7. März 2022 08:33
>> An: opencms-dev at opencms.org
>> Cc: lists.opencms.org at flexoft.net
>> Betreff: [opencms-dev] Docker-OpenCms / log4j Vulnerability
>>
>> Hi all,
>>
>> I was looking for a new CMS and thought to give OpenCms a try. I've 
>> set it up using docker and all is running easily.
>>
>> Then I followed the instructions to migrate log4j from 2.16.0 to the 
>> latest 2.17.2. This worked, but after stopping and starting the 
>> container again, the old 2.16.0 reappeared.
>>
>> Before starting the container:
>>
>> $ sudo find data/|grep log4j
>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.17.2.jar
>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.17.2.jar
>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.17.2.jar
>> data/tomcat-webapps/ROOT/WEB-INF/classes/log4j2.xml
>>
>> Starting the container:
>>
>> ...
>> opencms    | SLF4J: Class path contains multiple SLF4J bindings.
>> opencms    | SLF4J: Found binding in
>> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar!/org/slf4j/impl/StaticLoggerBinder.class] 
>>
>> opencms    | SLF4J: Found binding in
>> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar!/org/slf4j/impl/StaticLoggerBinder.class] 
>>
>> opencms    | SLF4J: See
>> http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
>> opencms    | SLF4J: Actual binding is of type 
>> [org.apache.logging.slf4j.Log4jLoggerFactory]
>> ...
>>
>> After starting the container:
>>
>> $ sudo find data/|grep log4j
>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.17.2.jar
>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.17.2.jar
>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.16.0.jar
>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.16.0.jar
>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.16.0.jar
>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.17.2.jar
>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar
>> data/tomcat-webapps/ROOT/WEB-INF/classes/log4j2.xml
>>
>> So I wonder whether this is ok, or if not, how to permanently remove the
>> 2.16.0 jars?
>>
>> Regards
>> Werner
>>
>> _______________________________________________
>> This mail is sent to you from the opencms-dev mailing list To change 
>> your list options, or to unsubscribe from the list, please visit 
>> https://lists.opencms.org/mailman/listinfo/opencms-dev
>>
>>
>>
>> _______________________________________________
>> This mail is sent to you from the opencms-dev mailing list
>> To change your list options, or to unsubscribe from the list, please 
>> visit
>> https://lists.opencms.org/mailman/listinfo/opencms-dev
>>
>>
>>
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please 
> visit
> https://lists.opencms.org/mailman/listinfo/opencms-dev
>
>
>
-- 
Alkacon Software GmbH & Co. KG  - The OpenCms Experts
http://www.alkacon.com - http://www.opencms.org

More information about the opencms-dev mailing list