[opencms-dev] Docker-OpenCms / log4j Vulnerability
Jochen Graf
j.graf at alkacon.com
Mon Mar 7 11:20:16 CET 2022
Hi Werner,
please try the following:
(1) docker-compose stop
(2) sudo rm data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-* (delete version
2.16 from the WEB-INF/lib folder)
(3) sudo cp log4j-* data/tomcat-webapps/ROOT/WEB-INF/lib/ (copy version
2.17 into the WEB-INF/lib folder)
(4) docker-compose start
If you use docker-compose start/stop instead of docker-compose up/down,
OpenCms is not reinstalled.
Best
Jochen
Am 07.03.22 um 11:13 schrieb deburau via opencms-dev:
> No, manually replacing the libs doesn't work.
>
> When the container starts, it reinstalls the jars. It even deletes the
> old 2.16.0 jars itself before reinstalling them. Some excerpts from
> the output of "docker-compose up -l":
>
> opencms | Executing OpenCms configuration script:
> /root/preinit/20_check_install.sh
> opencms | ---------------------------------------------------
> opencms | mkdir: created directory '/artifacts/libs'
> opencms | Writing properties file to contain list of JARs used by
> the OpenCms core, to be used in later updates.
> opencms | OpenCms already installed, updating modules and libs
> opencms | Changing Admin password for update
> opencms | Extract modules and libs
> ...
> opencms | removed
> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-api-2.16.0.jar'
> opencms | removed
> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-core-2.16.0.jar'
> opencms | removed
> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-jcl-2.16.0.jar'
> opencms | removed
> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar'
> opencms | Moving new JARs
> opencms | mv: inter-device move failed: '/artifacts/libs/jni' to
> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/jni'; unable to remove
> target: Directory not empty
> opencms | Update modules core
> opencms | === START OPENCMS SHELL ===
> opencms | Installing modules from /config/update-core-modules.ocsh
> using OpenCms home /usr/local/tomcat/webapps/ROOT
> opencms | No OpenCms home folder given. Trying to guess...
> opencms |
> opencms | OpenCms WEB-INF path:
> "/usr/local/tomcat/webapps/ROOT/WEB-INF".
> opencms | OpenCms property file:
> "/usr/local/tomcat/webapps/ROOT/WEB-INF/config/opencms.properties".
> opencms |
> opencms | SLF4J: Class path contains multiple SLF4J bindings.
> opencms | SLF4J: Found binding in
> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
> opencms | SLF4J: Found binding in
> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
> opencms | SLF4J: See
> http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
> opencms | SLF4J: Actual binding is of type
> [org.apache.logging.slf4j.Log4jLoggerFactory]
>
>
> The problem is, that docker-opencms is build using
> http://www.opencms.org/downloads/opencms/opencms-12.0.zip, which is
> old, but it is the latest available distribution file.
>
> So even if I´d try to rebuild the opencms docker image, it wouldn't
> work, since there is no newer opencms distribution zip.
>
> Best regards
> Werner
>
>
> Am 07.03.2022 um 10:50 schrieb Jochen Graf via opencms-dev:
>> Hi Werner,
>>
>> if you still want the latest log4j 2.17 version with your Docker
>> image, manually replacing the libs should work.
>>
>> Maybe there is just a problem with order? Important is first to stop
>> the container and then delete the log4j libs. If you try to delete
>> the libs in a running container they will re-appear.
>>
>> Best
>>
>> Jochen
>>
>> Am 07.03.22 um 10:07 schrieb deburau via opencms-dev:
>>> Sure, you are right. Unfortunately, there is no newer image. Latest
>>> official is three months old as you can see on docker hub:
>>> https://hub.docker.com/r/alkacon/opencms-docker/tags
>>>
>>>
>>> Am 07.03.2022 um 10:00 schrieb Manfred Schenk via opencms-dev:
>>>> Concerning security fixes in docker-based software it is better to
>>>> fix the image than fixing the container, i.e. you should use a
>>>> newer image where the issue is fixed instead of patching the
>>>> container.
>>>>
>>>> Regards
>>>> Manfred
>>>>
>>>> -----Ursprüngliche Nachricht-----
>>>> Von: opencms-dev <opencms-dev-bounces at opencms.org> Im Auftrag von
>>>> deburau via opencms-dev
>>>> Gesendet: Montag, 7. März 2022 08:33
>>>> An: opencms-dev at opencms.org
>>>> Cc: lists.opencms.org at flexoft.net
>>>> Betreff: [opencms-dev] Docker-OpenCms / log4j Vulnerability
>>>>
>>>> Hi all,
>>>>
>>>> I was looking for a new CMS and thought to give OpenCms a try. I've
>>>> set it up using docker and all is running easily.
>>>>
>>>> Then I followed the instructions to migrate log4j from 2.16.0 to
>>>> the latest 2.17.2. This worked, but after stopping and starting the
>>>> container again, the old 2.16.0 reappeared.
>>>>
>>>> Before starting the container:
>>>>
>>>> $ sudo find data/|grep log4j
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.17.2.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.17.2.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.17.2.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/classes/log4j2.xml
>>>>
>>>> Starting the container:
>>>>
>>>> ...
>>>> opencms | SLF4J: Class path contains multiple SLF4J bindings.
>>>> opencms | SLF4J: Found binding in
>>>> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
>>>>
>>>> opencms | SLF4J: Found binding in
>>>> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
>>>>
>>>> opencms | SLF4J: See
>>>> http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
>>>> opencms | SLF4J: Actual binding is of type
>>>> [org.apache.logging.slf4j.Log4jLoggerFactory]
>>>> ...
>>>>
>>>> After starting the container:
>>>>
>>>> $ sudo find data/|grep log4j
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.17.2.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.17.2.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.16.0.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.16.0.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.16.0.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.17.2.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/classes/log4j2.xml
>>>>
>>>> So I wonder whether this is ok, or if not, how to permanently
>>>> remove the
>>>> 2.16.0 jars?
>>>>
>>>> Regards
>>>> Werner
>>>>
>>>> _______________________________________________
>>>> This mail is sent to you from the opencms-dev mailing list To
>>>> change your list options, or to unsubscribe from the list, please
>>>> visit https://lists.opencms.org/mailman/listinfo/opencms-dev
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> This mail is sent to you from the opencms-dev mailing list
>>>> To change your list options, or to unsubscribe from the list,
>>>> please visit
>>>> https://lists.opencms.org/mailman/listinfo/opencms-dev
>>>>
>>>>
>>>>
>>> _______________________________________________
>>> This mail is sent to you from the opencms-dev mailing list
>>> To change your list options, or to unsubscribe from the list, please
>>> visit
>>> https://lists.opencms.org/mailman/listinfo/opencms-dev
>>>
>>>
>>>
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please
> visit
> https://lists.opencms.org/mailman/listinfo/opencms-dev
>
>
>
--
Alkacon Software GmbH & Co. KG - The OpenCms Experts
http://www.alkacon.com - http://www.opencms.org
More information about the opencms-dev
mailing list