[opencms-dev] Docker-OpenCms / log4j Vulnerability

Jochen Graf j.graf at alkacon.com
Mon Mar 7 11:20:16 CET 2022 

Hi Werner,

please try the following:

(1) docker-compose stop
(2) sudo rm data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-* (delete version 
2.16 from the WEB-INF/lib folder)
(3) sudo cp log4j-* data/tomcat-webapps/ROOT/WEB-INF/lib/ (copy version 
2.17 into the WEB-INF/lib folder)
(4) docker-compose start

If you use docker-compose start/stop instead of docker-compose up/down, 
OpenCms is not reinstalled.

Best

Jochen


Am 07.03.22 um 11:13 schrieb deburau via opencms-dev:
> No, manually replacing the libs doesn't work.
>
> When the container starts, it reinstalls the jars. It even deletes the 
> old 2.16.0 jars itself before reinstalling them. Some excerpts from 
> the output of "docker-compose up -l":
>
> opencms    | Executing OpenCms configuration script: 
> /root/preinit/20_check_install.sh
> opencms    | ---------------------------------------------------
> opencms    | mkdir: created directory '/artifacts/libs'
> opencms    | Writing properties file to contain list of JARs used by 
> the OpenCms core, to be used in later updates.
> opencms    | OpenCms already installed, updating modules and libs
> opencms    | Changing Admin password for update
> opencms    | Extract modules and libs
> ...
> opencms    | removed 
> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-api-2.16.0.jar'
> opencms    | removed 
> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-core-2.16.0.jar'
> opencms    | removed 
> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-jcl-2.16.0.jar'
> opencms    | removed 
> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar'
> opencms    | Moving new JARs
> opencms    | mv: inter-device move failed: '/artifacts/libs/jni' to 
> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/jni'; unable to remove 
> target: Directory not empty
> opencms    | Update modules core
> opencms    | === START OPENCMS SHELL ===
> opencms    | Installing modules from /config/update-core-modules.ocsh 
> using OpenCms home /usr/local/tomcat/webapps/ROOT
> opencms    | No OpenCms home folder given. Trying to guess...
> opencms    |
> opencms    | OpenCms WEB-INF path: 
> "/usr/local/tomcat/webapps/ROOT/WEB-INF".
> opencms    | OpenCms property file: 
> "/usr/local/tomcat/webapps/ROOT/WEB-INF/config/opencms.properties".
> opencms    |
> opencms    | SLF4J: Class path contains multiple SLF4J bindings.
> opencms    | SLF4J: Found binding in 
> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
> opencms    | SLF4J: Found binding in 
> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
> opencms    | SLF4J: See 
> http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
> opencms    | SLF4J: Actual binding is of type 
> [org.apache.logging.slf4j.Log4jLoggerFactory]
>
>
> The problem is, that docker-opencms is build using 
> http://www.opencms.org/downloads/opencms/opencms-12.0.zip, which is 
> old, but it is the latest available distribution file.
>
> So even if I´d try to rebuild the opencms docker image, it wouldn't 
> work, since there is no newer opencms distribution zip.
>
> Best regards
> Werner
>
>
> Am 07.03.2022 um 10:50 schrieb Jochen Graf via opencms-dev:
>> Hi Werner,
>>
>> if you still want the latest log4j 2.17 version with your Docker 
>> image, manually replacing the libs should work.
>>
>> Maybe there is just a problem with order? Important is first to stop 
>> the container and then delete the log4j libs. If you try to delete 
>> the libs in a running container they will re-appear.
>>
>> Best
>>
>> Jochen
>>
>> Am 07.03.22 um 10:07 schrieb deburau via opencms-dev:
>>> Sure, you are right. Unfortunately, there is no newer image. Latest 
>>> official is three months old as you can see on docker hub: 
>>> https://hub.docker.com/r/alkacon/opencms-docker/tags
>>>
>>>
>>> Am 07.03.2022 um 10:00 schrieb Manfred Schenk via opencms-dev:
>>>> Concerning security fixes in docker-based software it is better to 
>>>> fix the image than fixing the container, i.e. you should use a 
>>>> newer image where the issue is fixed instead of patching the 
>>>> container.
>>>>
>>>> Regards
>>>> Manfred
>>>>
>>>> -----Ursprüngliche Nachricht-----
>>>> Von: opencms-dev <opencms-dev-bounces at opencms.org> Im Auftrag von 
>>>> deburau via opencms-dev
>>>> Gesendet: Montag, 7. März 2022 08:33
>>>> An: opencms-dev at opencms.org
>>>> Cc: lists.opencms.org at flexoft.net
>>>> Betreff: [opencms-dev] Docker-OpenCms / log4j Vulnerability
>>>>
>>>> Hi all,
>>>>
>>>> I was looking for a new CMS and thought to give OpenCms a try. I've 
>>>> set it up using docker and all is running easily.
>>>>
>>>> Then I followed the instructions to migrate log4j from 2.16.0 to 
>>>> the latest 2.17.2. This worked, but after stopping and starting the 
>>>> container again, the old 2.16.0 reappeared.
>>>>
>>>> Before starting the container:
>>>>
>>>> $ sudo find data/|grep log4j
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.17.2.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.17.2.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.17.2.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/classes/log4j2.xml
>>>>
>>>> Starting the container:
>>>>
>>>> ...
>>>> opencms    | SLF4J: Class path contains multiple SLF4J bindings.
>>>> opencms    | SLF4J: Found binding in
>>>> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar!/org/slf4j/impl/StaticLoggerBinder.class] 
>>>>
>>>> opencms    | SLF4J: Found binding in
>>>> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar!/org/slf4j/impl/StaticLoggerBinder.class] 
>>>>
>>>> opencms    | SLF4J: See
>>>> http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
>>>> opencms    | SLF4J: Actual binding is of type 
>>>> [org.apache.logging.slf4j.Log4jLoggerFactory]
>>>> ...
>>>>
>>>> After starting the container:
>>>>
>>>> $ sudo find data/|grep log4j
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.17.2.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.17.2.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.16.0.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.16.0.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.16.0.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.17.2.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar
>>>> data/tomcat-webapps/ROOT/WEB-INF/classes/log4j2.xml
>>>>
>>>> So I wonder whether this is ok, or if not, how to permanently 
>>>> remove the
>>>> 2.16.0 jars?
>>>>
>>>> Regards
>>>> Werner
>>>>
>>>> _______________________________________________
>>>> This mail is sent to you from the opencms-dev mailing list To 
>>>> change your list options, or to unsubscribe from the list, please 
>>>> visit https://lists.opencms.org/mailman/listinfo/opencms-dev
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> This mail is sent to you from the opencms-dev mailing list
>>>> To change your list options, or to unsubscribe from the list, 
>>>> please visit
>>>> https://lists.opencms.org/mailman/listinfo/opencms-dev
>>>>
>>>>
>>>>
>>> _______________________________________________
>>> This mail is sent to you from the opencms-dev mailing list
>>> To change your list options, or to unsubscribe from the list, please 
>>> visit
>>> https://lists.opencms.org/mailman/listinfo/opencms-dev
>>>
>>>
>>>
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please 
> visit
> https://lists.opencms.org/mailman/listinfo/opencms-dev
>
>
>
-- 
Alkacon Software GmbH & Co. KG  - The OpenCms Experts
http://www.alkacon.com - http://www.opencms.org

More information about the opencms-dev mailing list