[opencms-dev] Docker-OpenCms / log4j Vulnerability
Jochen Graf
j.graf at alkacon.com
Mon Mar 7 13:06:50 CET 2022
Hi Werner,
the actual OpenCms 12 distribution includes log4j 2.16, which solves all
"critical" vulnerabilities, see [1].
If you need to address the latest "moderate" vulnerabilities, simply
replace the standard OpenCms distribution ZIP with something that fits
your needs, see [2], and build the Docker image locally.
Best Jochen
[1] https://logging.apache.org/log4j/2.x/security.html
[2]
https://github.com/alkacon/opencms-docker/blob/master/image/Dockerfile#L19
Am 07.03.22 um 12:01 schrieb deburau via opencms-dev:
> Hello Jochen,
>
> you are right that docker-compose start / stop does not restore the
> old jars.
>
> But that is not the point. I consider the latest opencms distributions
> (docker and not docker) broken, because they are vulnerable to the
> lock4j vulnerability.
>
> This can be fixed for non-docker installations by replacing the
> affected jars. But for docker installations this doesn't work, since
> down / up restores the affected jars.
>
>
> I always use docker-compose up /down. Docker containers should be
> designed to work in this scenario, and in fact, docker-opencms also
> generally works with up /down. The missing part is a fixed opencms
> distribution zip containing the latest log4j jars.
>
> Greetings
> Werner
>
>
> Am 07.03.2022 um 11:20 schrieb Jochen Graf via opencms-dev:
>> Hi Werner,
>>
>> please try the following:
>>
>> (1) docker-compose stop
>> (2) sudo rm data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-* (delete
>> version 2.16 from the WEB-INF/lib folder)
>> (3) sudo cp log4j-* data/tomcat-webapps/ROOT/WEB-INF/lib/ (copy
>> version 2.17 into the WEB-INF/lib folder)
>> (4) docker-compose start
>>
>> If you use docker-compose start/stop instead of docker-compose
>> up/down, OpenCms is not reinstalled.
>>
>> Best
>>
>> Jochen
>>
>>
>> Am 07.03.22 um 11:13 schrieb deburau via opencms-dev:
>>> No, manually replacing the libs doesn't work.
>>>
>>> When the container starts, it reinstalls the jars. It even deletes
>>> the old 2.16.0 jars itself before reinstalling them. Some excerpts
>>> from the output of "docker-compose up -l":
>>>
>>> opencms | Executing OpenCms configuration script:
>>> /root/preinit/20_check_install.sh
>>> opencms | ---------------------------------------------------
>>> opencms | mkdir: created directory '/artifacts/libs'
>>> opencms | Writing properties file to contain list of JARs used by
>>> the OpenCms core, to be used in later updates.
>>> opencms | OpenCms already installed, updating modules and libs
>>> opencms | Changing Admin password for update
>>> opencms | Extract modules and libs
>>> ...
>>> opencms | removed
>>> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-api-2.16.0.jar'
>>> opencms | removed
>>> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-core-2.16.0.jar'
>>> opencms | removed
>>> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-jcl-2.16.0.jar'
>>> opencms | removed
>>> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar'
>>>
>>> opencms | Moving new JARs
>>> opencms | mv: inter-device move failed: '/artifacts/libs/jni' to
>>> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/jni'; unable to remove
>>> target: Directory not empty
>>> opencms | Update modules core
>>> opencms | === START OPENCMS SHELL ===
>>> opencms | Installing modules from
>>> /config/update-core-modules.ocsh using OpenCms home
>>> /usr/local/tomcat/webapps/ROOT
>>> opencms | No OpenCms home folder given. Trying to guess...
>>> opencms |
>>> opencms | OpenCms WEB-INF path:
>>> "/usr/local/tomcat/webapps/ROOT/WEB-INF".
>>> opencms | OpenCms property file:
>>> "/usr/local/tomcat/webapps/ROOT/WEB-INF/config/opencms.properties".
>>> opencms |
>>> opencms | SLF4J: Class path contains multiple SLF4J bindings.
>>> opencms | SLF4J: Found binding in
>>> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
>>> opencms | SLF4J: Found binding in
>>> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
>>> opencms | SLF4J: See
>>> http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
>>> opencms | SLF4J: Actual binding is of type
>>> [org.apache.logging.slf4j.Log4jLoggerFactory]
>>>
>>>
>>> The problem is, that docker-opencms is build using
>>> http://www.opencms.org/downloads/opencms/opencms-12.0.zip, which is
>>> old, but it is the latest available distribution file.
>>>
>>> So even if I´d try to rebuild the opencms docker image, it wouldn't
>>> work, since there is no newer opencms distribution zip.
>>>
>>> Best regards
>>> Werner
>>>
>>>
>>> Am 07.03.2022 um 10:50 schrieb Jochen Graf via opencms-dev:
>>>> Hi Werner,
>>>>
>>>> if you still want the latest log4j 2.17 version with your Docker
>>>> image, manually replacing the libs should work.
>>>>
>>>> Maybe there is just a problem with order? Important is first to
>>>> stop the container and then delete the log4j libs. If you try to
>>>> delete the libs in a running container they will re-appear.
>>>>
>>>> Best
>>>>
>>>> Jochen
>>>>
>>>> Am 07.03.22 um 10:07 schrieb deburau via opencms-dev:
>>>>> Sure, you are right. Unfortunately, there is no newer image.
>>>>> Latest official is three months old as you can see on docker hub:
>>>>> https://hub.docker.com/r/alkacon/opencms-docker/tags
>>>>>
>>>>>
>>>>> Am 07.03.2022 um 10:00 schrieb Manfred Schenk via opencms-dev:
>>>>>> Concerning security fixes in docker-based software it is better
>>>>>> to fix the image than fixing the container, i.e. you should use a
>>>>>> newer image where the issue is fixed instead of patching the
>>>>>> container.
>>>>>>
>>>>>> Regards
>>>>>> Manfred
>>>>>>
>>>>>> -----Ursprüngliche Nachricht-----
>>>>>> Von: opencms-dev <opencms-dev-bounces at opencms.org> Im Auftrag von
>>>>>> deburau via opencms-dev
>>>>>> Gesendet: Montag, 7. März 2022 08:33
>>>>>> An: opencms-dev at opencms.org
>>>>>> Cc: lists.opencms.org at flexoft.net
>>>>>> Betreff: [opencms-dev] Docker-OpenCms / log4j Vulnerability
>>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I was looking for a new CMS and thought to give OpenCms a try.
>>>>>> I've set it up using docker and all is running easily.
>>>>>>
>>>>>> Then I followed the instructions to migrate log4j from 2.16.0 to
>>>>>> the latest 2.17.2. This worked, but after stopping and starting
>>>>>> the container again, the old 2.16.0 reappeared.
>>>>>>
>>>>>> Before starting the container:
>>>>>>
>>>>>> $ sudo find data/|grep log4j
>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.17.2.jar
>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.17.2.jar
>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.17.2.jar
>>>>>> data/tomcat-webapps/ROOT/WEB-INF/classes/log4j2.xml
>>>>>>
>>>>>> Starting the container:
>>>>>>
>>>>>> ...
>>>>>> opencms | SLF4J: Class path contains multiple SLF4J bindings.
>>>>>> opencms | SLF4J: Found binding in
>>>>>> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
>>>>>>
>>>>>> opencms | SLF4J: Found binding in
>>>>>> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
>>>>>>
>>>>>> opencms | SLF4J: See
>>>>>> http://www.slf4j.org/codes.html#multiple_bindings for an
>>>>>> explanation.
>>>>>> opencms | SLF4J: Actual binding is of type
>>>>>> [org.apache.logging.slf4j.Log4jLoggerFactory]
>>>>>> ...
>>>>>>
>>>>>> After starting the container:
>>>>>>
>>>>>> $ sudo find data/|grep log4j
>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.17.2.jar
>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.17.2.jar
>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.16.0.jar
>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.16.0.jar
>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.16.0.jar
>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.17.2.jar
>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar
>>>>>> data/tomcat-webapps/ROOT/WEB-INF/classes/log4j2.xml
>>>>>>
>>>>>> So I wonder whether this is ok, or if not, how to permanently
>>>>>> remove the
>>>>>> 2.16.0 jars?
>>>>>>
>>>>>> Regards
>>>>>> Werner
>>>>>>
>>>>>> _______________________________________________
>>>>>> This mail is sent to you from the opencms-dev mailing list To
>>>>>> change your list options, or to unsubscribe from the list, please
>>>>>> visit https://lists.opencms.org/mailman/listinfo/opencms-dev
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> This mail is sent to you from the opencms-dev mailing list
>>>>>> To change your list options, or to unsubscribe from the list,
>>>>>> please visit
>>>>>> https://lists.opencms.org/mailman/listinfo/opencms-dev
>>>>>>
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> This mail is sent to you from the opencms-dev mailing list
>>>>> To change your list options, or to unsubscribe from the list,
>>>>> please visit
>>>>> https://lists.opencms.org/mailman/listinfo/opencms-dev
>>>>>
>>>>>
>>>>>
>>> _______________________________________________
>>> This mail is sent to you from the opencms-dev mailing list
>>> To change your list options, or to unsubscribe from the list, please
>>> visit
>>> https://lists.opencms.org/mailman/listinfo/opencms-dev
>>>
>>>
>>>
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please
> visit
> https://lists.opencms.org/mailman/listinfo/opencms-dev
>
>
>
--
Alkacon Software GmbH & Co. KG - The OpenCms Experts
http://www.alkacon.com - http://www.opencms.org
More information about the opencms-dev
mailing list