[opencms-dev] Docker-OpenCms / log4j Vulnerability

lists.opencms.org at flexoft.net lists.opencms.org at flexoft.net
Mon Mar 7 11:13:58 CET 2022 

No, manually replacing the libs doesn't work.

When the container starts, it reinstalls the jars. It even deletes the 
old 2.16.0 jars itself before reinstalling them. Some excerpts from the 
output of "docker-compose up -l":

opencms    | Executing OpenCms configuration script: 
/root/preinit/20_check_install.sh
opencms    | ---------------------------------------------------
opencms    | mkdir: created directory '/artifacts/libs'
opencms    | Writing properties file to contain list of JARs used by the 
OpenCms core, to be used in later updates.
opencms    | OpenCms already installed, updating modules and libs
opencms    | Changing Admin password for update
opencms    | Extract modules and libs
...
opencms    | removed 
'/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-api-2.16.0.jar'
opencms    | removed 
'/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-core-2.16.0.jar'
opencms    | removed 
'/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-jcl-2.16.0.jar'
opencms    | removed 
'/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar'
opencms    | Moving new JARs
opencms    | mv: inter-device move failed: '/artifacts/libs/jni' to 
'/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/jni'; unable to remove 
target: Directory not empty
opencms    | Update modules core
opencms    | === START OPENCMS SHELL ===
opencms    | Installing modules from /config/update-core-modules.ocsh 
using OpenCms home /usr/local/tomcat/webapps/ROOT
opencms    | No OpenCms home folder given. Trying to guess...
opencms    |
opencms    | OpenCms WEB-INF path: "/usr/local/tomcat/webapps/ROOT/WEB-INF".
opencms    | OpenCms property file: 
"/usr/local/tomcat/webapps/ROOT/WEB-INF/config/opencms.properties".
opencms    |
opencms    | SLF4J: Class path contains multiple SLF4J bindings.
opencms    | SLF4J: Found binding in 
[jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
opencms    | SLF4J: Found binding in 
[jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
opencms    | SLF4J: See 
http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
opencms    | SLF4J: Actual binding is of type 
[org.apache.logging.slf4j.Log4jLoggerFactory]


The problem is, that docker-opencms is build using 
http://www.opencms.org/downloads/opencms/opencms-12.0.zip, which is old, 
but it is the latest available distribution file.

So even if I´d try to rebuild the opencms docker image, it wouldn't 
work, since there is no newer opencms distribution zip.

Best regards
Werner


Am 07.03.2022 um 10:50 schrieb Jochen Graf via opencms-dev:
> Hi Werner,
>
> if you still want the latest log4j 2.17 version with your Docker 
> image, manually replacing the libs should work.
>
> Maybe there is just a problem with order? Important is first to stop 
> the container and then delete the log4j libs. If you try to delete the 
> libs in a running container they will re-appear.
>
> Best
>
> Jochen
>
> Am 07.03.22 um 10:07 schrieb deburau via opencms-dev:
>> Sure, you are right. Unfortunately, there is no newer image. Latest 
>> official is three months old as you can see on docker hub: 
>> https://hub.docker.com/r/alkacon/opencms-docker/tags
>>
>>
>> Am 07.03.2022 um 10:00 schrieb Manfred Schenk via opencms-dev:
>>> Concerning security fixes in docker-based software it is better to 
>>> fix the image than fixing the container, i.e. you should use a newer 
>>> image where the issue is fixed instead of patching the container.
>>>
>>> Regards
>>> Manfred
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: opencms-dev <opencms-dev-bounces at opencms.org> Im Auftrag von 
>>> deburau via opencms-dev
>>> Gesendet: Montag, 7. März 2022 08:33
>>> An: opencms-dev at opencms.org
>>> Cc: lists.opencms.org at flexoft.net
>>> Betreff: [opencms-dev] Docker-OpenCms / log4j Vulnerability
>>>
>>> Hi all,
>>>
>>> I was looking for a new CMS and thought to give OpenCms a try. I've 
>>> set it up using docker and all is running easily.
>>>
>>> Then I followed the instructions to migrate log4j from 2.16.0 to the 
>>> latest 2.17.2. This worked, but after stopping and starting the 
>>> container again, the old 2.16.0 reappeared.
>>>
>>> Before starting the container:
>>>
>>> $ sudo find data/|grep log4j
>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.17.2.jar
>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.17.2.jar
>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.17.2.jar
>>> data/tomcat-webapps/ROOT/WEB-INF/classes/log4j2.xml
>>>
>>> Starting the container:
>>>
>>> ...
>>> opencms    | SLF4J: Class path contains multiple SLF4J bindings.
>>> opencms    | SLF4J: Found binding in
>>> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar!/org/slf4j/impl/StaticLoggerBinder.class] 
>>>
>>> opencms    | SLF4J: Found binding in
>>> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar!/org/slf4j/impl/StaticLoggerBinder.class] 
>>>
>>> opencms    | SLF4J: See
>>> http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
>>> opencms    | SLF4J: Actual binding is of type 
>>> [org.apache.logging.slf4j.Log4jLoggerFactory]
>>> ...
>>>
>>> After starting the container:
>>>
>>> $ sudo find data/|grep log4j
>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.17.2.jar
>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.17.2.jar
>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.16.0.jar
>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.16.0.jar
>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.16.0.jar
>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.17.2.jar
>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar
>>> data/tomcat-webapps/ROOT/WEB-INF/classes/log4j2.xml
>>>
>>> So I wonder whether this is ok, or if not, how to permanently remove 
>>> the
>>> 2.16.0 jars?
>>>
>>> Regards
>>> Werner
>>>
>>> _______________________________________________
>>> This mail is sent to you from the opencms-dev mailing list To change 
>>> your list options, or to unsubscribe from the list, please visit 
>>> https://lists.opencms.org/mailman/listinfo/opencms-dev
>>>
>>>
>>>
>>> _______________________________________________
>>> This mail is sent to you from the opencms-dev mailing list
>>> To change your list options, or to unsubscribe from the list, please 
>>> visit
>>> https://lists.opencms.org/mailman/listinfo/opencms-dev
>>>
>>>
>>>
>> _______________________________________________
>> This mail is sent to you from the opencms-dev mailing list
>> To change your list options, or to unsubscribe from the list, please 
>> visit
>> https://lists.opencms.org/mailman/listinfo/opencms-dev
>>
>>
>>

More information about the opencms-dev mailing list