[opencms-dev] Docker-OpenCms / log4j Vulnerability
lists.opencms.org at flexoft.net
lists.opencms.org at flexoft.net
Mon Mar 7 13:18:33 CET 2022
Thank you for the clarification. I could live with the moderate
vulnerabilities for some time.
I worried, because
https://documentation.opencms.org/opencms-documentation/server-installation/log4j-security-vulnerability/
clearly states "At least Log4j version 2.17 is required" without saying
that the critical issues are already fixed with opencms 12.0.
Am 07.03.2022 um 13:06 schrieb Jochen Graf via opencms-dev:
> Hi Werner,
>
> the actual OpenCms 12 distribution includes log4j 2.16, which solves
> all "critical" vulnerabilities, see [1].
>
> If you need to address the latest "moderate" vulnerabilities, simply
> replace the standard OpenCms distribution ZIP with something that fits
> your needs, see [2], and build the Docker image locally.
>
> Best Jochen
>
> [1] https://logging.apache.org/log4j/2.x/security.html
> [2]
> https://github.com/alkacon/opencms-docker/blob/master/image/Dockerfile#L19
>
>
> Am 07.03.22 um 12:01 schrieb deburau via opencms-dev:
>> Hello Jochen,
>>
>> you are right that docker-compose start / stop does not restore the
>> old jars.
>>
>> But that is not the point. I consider the latest opencms
>> distributions (docker and not docker) broken, because they are
>> vulnerable to the lock4j vulnerability.
>>
>> This can be fixed for non-docker installations by replacing the
>> affected jars. But for docker installations this doesn't work, since
>> down / up restores the affected jars.
>>
>>
>> I always use docker-compose up /down. Docker containers should be
>> designed to work in this scenario, and in fact, docker-opencms also
>> generally works with up /down. The missing part is a fixed opencms
>> distribution zip containing the latest log4j jars.
>>
>> Greetings
>> Werner
>>
>>
>> Am 07.03.2022 um 11:20 schrieb Jochen Graf via opencms-dev:
>>> Hi Werner,
>>>
>>> please try the following:
>>>
>>> (1) docker-compose stop
>>> (2) sudo rm data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-* (delete
>>> version 2.16 from the WEB-INF/lib folder)
>>> (3) sudo cp log4j-* data/tomcat-webapps/ROOT/WEB-INF/lib/ (copy
>>> version 2.17 into the WEB-INF/lib folder)
>>> (4) docker-compose start
>>>
>>> If you use docker-compose start/stop instead of docker-compose
>>> up/down, OpenCms is not reinstalled.
>>>
>>> Best
>>>
>>> Jochen
>>>
>>>
>>> Am 07.03.22 um 11:13 schrieb deburau via opencms-dev:
>>>> No, manually replacing the libs doesn't work.
>>>>
>>>> When the container starts, it reinstalls the jars. It even deletes
>>>> the old 2.16.0 jars itself before reinstalling them. Some excerpts
>>>> from the output of "docker-compose up -l":
>>>>
>>>> opencms | Executing OpenCms configuration script:
>>>> /root/preinit/20_check_install.sh
>>>> opencms | ---------------------------------------------------
>>>> opencms | mkdir: created directory '/artifacts/libs'
>>>> opencms | Writing properties file to contain list of JARs used
>>>> by the OpenCms core, to be used in later updates.
>>>> opencms | OpenCms already installed, updating modules and libs
>>>> opencms | Changing Admin password for update
>>>> opencms | Extract modules and libs
>>>> ...
>>>> opencms | removed
>>>> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-api-2.16.0.jar'
>>>> opencms | removed
>>>> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-core-2.16.0.jar'
>>>> opencms | removed
>>>> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-jcl-2.16.0.jar'
>>>> opencms | removed
>>>> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar'
>>>>
>>>> opencms | Moving new JARs
>>>> opencms | mv: inter-device move failed: '/artifacts/libs/jni' to
>>>> '/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/jni'; unable to remove
>>>> target: Directory not empty
>>>> opencms | Update modules core
>>>> opencms | === START OPENCMS SHELL ===
>>>> opencms | Installing modules from
>>>> /config/update-core-modules.ocsh using OpenCms home
>>>> /usr/local/tomcat/webapps/ROOT
>>>> opencms | No OpenCms home folder given. Trying to guess...
>>>> opencms |
>>>> opencms | OpenCms WEB-INF path:
>>>> "/usr/local/tomcat/webapps/ROOT/WEB-INF".
>>>> opencms | OpenCms property file:
>>>> "/usr/local/tomcat/webapps/ROOT/WEB-INF/config/opencms.properties".
>>>> opencms |
>>>> opencms | SLF4J: Class path contains multiple SLF4J bindings.
>>>> opencms | SLF4J: Found binding in
>>>> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
>>>> opencms | SLF4J: Found binding in
>>>> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
>>>> opencms | SLF4J: See
>>>> http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
>>>> opencms | SLF4J: Actual binding is of type
>>>> [org.apache.logging.slf4j.Log4jLoggerFactory]
>>>>
>>>>
>>>> The problem is, that docker-opencms is build using
>>>> http://www.opencms.org/downloads/opencms/opencms-12.0.zip, which is
>>>> old, but it is the latest available distribution file.
>>>>
>>>> So even if I´d try to rebuild the opencms docker image, it wouldn't
>>>> work, since there is no newer opencms distribution zip.
>>>>
>>>> Best regards
>>>> Werner
>>>>
>>>>
>>>> Am 07.03.2022 um 10:50 schrieb Jochen Graf via opencms-dev:
>>>>> Hi Werner,
>>>>>
>>>>> if you still want the latest log4j 2.17 version with your Docker
>>>>> image, manually replacing the libs should work.
>>>>>
>>>>> Maybe there is just a problem with order? Important is first to
>>>>> stop the container and then delete the log4j libs. If you try to
>>>>> delete the libs in a running container they will re-appear.
>>>>>
>>>>> Best
>>>>>
>>>>> Jochen
>>>>>
>>>>> Am 07.03.22 um 10:07 schrieb deburau via opencms-dev:
>>>>>> Sure, you are right. Unfortunately, there is no newer image.
>>>>>> Latest official is three months old as you can see on docker hub:
>>>>>> https://hub.docker.com/r/alkacon/opencms-docker/tags
>>>>>>
>>>>>>
>>>>>> Am 07.03.2022 um 10:00 schrieb Manfred Schenk via opencms-dev:
>>>>>>> Concerning security fixes in docker-based software it is better
>>>>>>> to fix the image than fixing the container, i.e. you should use
>>>>>>> a newer image where the issue is fixed instead of patching the
>>>>>>> container.
>>>>>>>
>>>>>>> Regards
>>>>>>> Manfred
>>>>>>>
>>>>>>> -----Ursprüngliche Nachricht-----
>>>>>>> Von: opencms-dev <opencms-dev-bounces at opencms.org> Im Auftrag
>>>>>>> von deburau via opencms-dev
>>>>>>> Gesendet: Montag, 7. März 2022 08:33
>>>>>>> An: opencms-dev at opencms.org
>>>>>>> Cc: lists.opencms.org at flexoft.net
>>>>>>> Betreff: [opencms-dev] Docker-OpenCms / log4j Vulnerability
>>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I was looking for a new CMS and thought to give OpenCms a try.
>>>>>>> I've set it up using docker and all is running easily.
>>>>>>>
>>>>>>> Then I followed the instructions to migrate log4j from 2.16.0 to
>>>>>>> the latest 2.17.2. This worked, but after stopping and starting
>>>>>>> the container again, the old 2.16.0 reappeared.
>>>>>>>
>>>>>>> Before starting the container:
>>>>>>>
>>>>>>> $ sudo find data/|grep log4j
>>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.17.2.jar
>>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
>>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.17.2.jar
>>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.17.2.jar
>>>>>>> data/tomcat-webapps/ROOT/WEB-INF/classes/log4j2.xml
>>>>>>>
>>>>>>> Starting the container:
>>>>>>>
>>>>>>> ...
>>>>>>> opencms | SLF4J: Class path contains multiple SLF4J bindings.
>>>>>>> opencms | SLF4J: Found binding in
>>>>>>> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
>>>>>>>
>>>>>>> opencms | SLF4J: Found binding in
>>>>>>> [jar:file:/usr/local/tomcat/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
>>>>>>>
>>>>>>> opencms | SLF4J: See
>>>>>>> http://www.slf4j.org/codes.html#multiple_bindings for an
>>>>>>> explanation.
>>>>>>> opencms | SLF4J: Actual binding is of type
>>>>>>> [org.apache.logging.slf4j.Log4jLoggerFactory]
>>>>>>> ...
>>>>>>>
>>>>>>> After starting the container:
>>>>>>>
>>>>>>> $ sudo find data/|grep log4j
>>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.17.2.jar
>>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
>>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.17.2.jar
>>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-api-2.16.0.jar
>>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-jcl-2.16.0.jar
>>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.16.0.jar
>>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-core-2.17.2.jar
>>>>>>> data/tomcat-webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.16.0.jar
>>>>>>> data/tomcat-webapps/ROOT/WEB-INF/classes/log4j2.xml
>>>>>>>
>>>>>>> So I wonder whether this is ok, or if not, how to permanently
>>>>>>> remove the
>>>>>>> 2.16.0 jars?
>>>>>>>
>>>>>>> Regards
>>>>>>> Werner
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> This mail is sent to you from the opencms-dev mailing list To
>>>>>>> change your list options, or to unsubscribe from the list,
>>>>>>> please visit https://lists.opencms.org/mailman/listinfo/opencms-dev
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> This mail is sent to you from the opencms-dev mailing list
>>>>>>> To change your list options, or to unsubscribe from the list,
>>>>>>> please visit
>>>>>>> https://lists.opencms.org/mailman/listinfo/opencms-dev
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> This mail is sent to you from the opencms-dev mailing list
>>>>>> To change your list options, or to unsubscribe from the list,
>>>>>> please visit
>>>>>> https://lists.opencms.org/mailman/listinfo/opencms-dev
>>>>>>
>>>>>>
>>>>>>
>>>> _______________________________________________
>>>> This mail is sent to you from the opencms-dev mailing list
>>>> To change your list options, or to unsubscribe from the list,
>>>> please visit
>>>> https://lists.opencms.org/mailman/listinfo/opencms-dev
>>>>
>>>>
>>>>
>> _______________________________________________
>> This mail is sent to you from the opencms-dev mailing list
>> To change your list options, or to unsubscribe from the list, please
>> visit
>> https://lists.opencms.org/mailman/listinfo/opencms-dev
>>
>>
>>
More information about the opencms-dev
mailing list