[opencms-dev] Docker-OpenCms / log4j Vulnerability

lists.opencms.org at flexoft.net lists.opencms.org at flexoft.net
Mon Mar 7 12:01:32 CET 2022 

Hello Jochen,

you are right that docker-compose start / stop does not restore the old 
jars.

But that is not the point. I consider the latest opencms distributions 
(docker and not docker) broken, because they are vulnerable to the 
lock4j vulnerability.

This can be fixed for non-docker installations by replacing the affected 
jars. But for docker installations this doesn't work, since down / up 
restores the affected jars.


I always use docker-compose up /down. Docker containers should be 
designed to work in this scenario, and in fact, docker-opencms also 
generally works with up /down. The missing part is a fixed opencms 
distribution zip containing the latest log4j jars.

Greetings
Werner


Am 07.03.2022 um 11:20 schrieb Jochen Graf via opencms-dev:
> Hi Werner,
>
> please try the following:
>
> (1) docker-compose stop
> (2) sudo rm data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-* (delete 
> version 2.16 from the WEB-INF/lib folder)
> (3) sudo cp log4j-* data/tomcat-webapps/ROOT/WEB-INF/lib/ (copy 
> version 2.17 into the WEB-INF/lib folder)
> (4) docker-compose start
>
> If you use docker-compose start/stop instead of docker-compose 
> up/down, OpenCms is not reinstalled.
>
> Best
>
> Jochen
>
>
> Am 07.03.22 um 11:13 schrieb deburau via opencms-dev:
>> No, manually replacing the libs doesn't work.
>>
>> When the container starts, it reinstalls the jars. It even deletes 
>> the old 2.16.0 jars itself before reinstalling them. Some excerpts 
>> from the output of "docker-compose up -l":
>>
>> opencms    | Executing OpenCms configuration script: 
>> /root/preinit/20_check_install.sh
>> opencms    | ---------------------------------------------------
>> opencms    | mkdir: created directory '/artifacts/libs'
>> opencms    | Writing properties file to contain list of JARs used by 
>> the OpenCms core, to be used in later updates.
>> opencms    | OpenCms already installed, updating modules and libs
>> opencms    | Changing Admin password for update
>> opencms    | Extract modules and libs
>> ...
>> opencms    | removed 
>> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-api-2.16.0.jar'
>> opencms    | removed 
>> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-core-2.16.0.jar'
>> opencms    | removed 
>> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-jcl-2.16.0.jar'
>> opencms    | removed 
>> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar'
>> opencms    | Moving new JARs
>> opencms    | mv: inter-device move failed: '/artifacts/libs/jni' to 
>> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/jni'; unable to remove 
>> target: Directory not empty
>> opencms    | Update modules core
>> opencms    | === START OPENCMS SHELL ===
>> opencms    | Installing modules from /config/update-core-modules.ocsh 
>> using OpenCms home /usr/local/tomcat/webapps/ROOT
>> opencms    | No OpenCms home folder given. Trying to guess...
>> opencms    |
>> opencms    | OpenCms WEB-INF path: 
>> "/usr/local/tomcat/webapps/ROOT/WEB-INF".
>> opencms    | OpenCms property file: 
>> "/usr/local/tomcat/webapps/ROOT/WEB-INF/config/opencms.properties".
>> opencms    |
>> opencms    | SLF4J: Class path contains multiple SLF4J bindings.
>> opencms    | SLF4J: Found binding in 
>> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
>> opencms    | SLF4J: Found binding in 
>> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
>> opencms    | SLF4J: See 
>> http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
>> opencms    | SLF4J: Actual binding is of type 
>> [org.apache.logging.slf4j.Log4jLoggerFactory]
>>
>>
>> The problem is, that docker-opencms is build using 
>> http://www.opencms.org/downloads/opencms/opencms-12.0.zip, which is 
>> old, but it is the latest available distribution file.
>>
>> So even if I´d try to rebuild the opencms docker image, it wouldn't 
>> work, since there is no newer opencms distribution zip.
>>
>> Best regards
>> Werner
>>
>>
>> Am 07.03.2022 um 10:50 schrieb Jochen Graf via opencms-dev:
>>> Hi Werner,
>>>
>>> if you still want the latest log4j 2.17 version with your Docker 
>>> image, manually replacing the libs should work.
>>>
>>> Maybe there is just a problem with order? Important is first to stop 
>>> the container and then delete the log4j libs. If you try to delete 
>>> the libs in a running container they will re-appear.
>>>
>>> Best
>>>
>>> Jochen
>>>
>>> Am 07.03.22 um 10:07 schrieb deburau via opencms-dev:
>>>> Sure, you are right. Unfortunately, there is no newer image. Latest 
>>>> official is three months old as you can see on docker hub: 
>>>> https://hub.docker.com/r/alkacon/opencms-docker/tags
>>>>
>>>>
>>>> Am 07.03.2022 um 10:00 schrieb Manfred Schenk via opencms-dev:
>>>>> Concerning security fixes in docker-based software it is better to 
>>>>> fix the image than fixing the container, i.e. you should use a 
>>>>> newer image where the issue is fixed instead of patching the 
>>>>> container.
>>>>>
>>>>> Regards
>>>>> Manfred
>>>>>
>>>>> -----Ursprüngliche Nachricht-----
>>>>> Von: opencms-dev <opencms-dev-bounces at opencms.org> Im Auftrag von 
>>>>> deburau via opencms-dev
>>>>> Gesendet: Montag, 7. März 2022 08:33
>>>>> An: opencms-dev at opencms.org
>>>>> Cc: lists.opencms.org at flexoft.net
>>>>> Betreff: [opencms-dev] Docker-OpenCms / log4j Vulnerability
>>>>>
>>>>> Hi all,
>>>>>
>>>>> I was looking for a new CMS and thought to give OpenCms a try. 
>>>>> I've set it up using docker and all is running easily.
>>>>>
>>>>> Then I followed the instructions to migrate log4j from 2.16.0 to 
>>>>> the latest 2.17.2. This worked, but after stopping and starting 
>>>>> the container again, the old 2.16.0 reappeared.
>>>>>
>>>>> Before starting the container:
>>>>>
>>>>> $ sudo find data/|grep log4j
>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.17.2.jar
>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.17.2.jar
>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.17.2.jar
>>>>> data/tomcat-webapps/ROOT/WEB-INF/classes/log4j2.xml
>>>>>
>>>>> Starting the container:
>>>>>
>>>>> ...
>>>>> opencms    | SLF4J: Class path contains multiple SLF4J bindings.
>>>>> opencms    | SLF4J: Found binding in
>>>>> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar!/org/slf4j/impl/StaticLoggerBinder.class] 
>>>>>
>>>>> opencms    | SLF4J: Found binding in
>>>>> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar!/org/slf4j/impl/StaticLoggerBinder.class] 
>>>>>
>>>>> opencms    | SLF4J: See
>>>>> http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
>>>>> opencms    | SLF4J: Actual binding is of type 
>>>>> [org.apache.logging.slf4j.Log4jLoggerFactory]
>>>>> ...
>>>>>
>>>>> After starting the container:
>>>>>
>>>>> $ sudo find data/|grep log4j
>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.17.2.jar
>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.17.2.jar
>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.16.0.jar
>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.16.0.jar
>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.16.0.jar
>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.17.2.jar
>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar
>>>>> data/tomcat-webapps/ROOT/WEB-INF/classes/log4j2.xml
>>>>>
>>>>> So I wonder whether this is ok, or if not, how to permanently 
>>>>> remove the
>>>>> 2.16.0 jars?
>>>>>
>>>>> Regards
>>>>> Werner
>>>>>
>>>>> _______________________________________________
>>>>> This mail is sent to you from the opencms-dev mailing list To 
>>>>> change your list options, or to unsubscribe from the list, please 
>>>>> visit https://lists.opencms.org/mailman/listinfo/opencms-dev
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> This mail is sent to you from the opencms-dev mailing list
>>>>> To change your list options, or to unsubscribe from the list, 
>>>>> please visit
>>>>> https://lists.opencms.org/mailman/listinfo/opencms-dev
>>>>>
>>>>>
>>>>>
>>>> _______________________________________________
>>>> This mail is sent to you from the opencms-dev mailing list
>>>> To change your list options, or to unsubscribe from the list, 
>>>> please visit
>>>> https://lists.opencms.org/mailman/listinfo/opencms-dev
>>>>
>>>>
>>>>
>> _______________________________________________
>> This mail is sent to you from the opencms-dev mailing list
>> To change your list options, or to unsubscribe from the list, please 
>> visit
>> https://lists.opencms.org/mailman/listinfo/opencms-dev
>>
>>
>>

More information about the opencms-dev mailing list