Check for CVE-2021-44228 (log4shell)

[ynohat]

This is a proactive ticket to scan the official image manually for the presence of the log4j vulnerability.

❯ docker scan akamai/shell:latest                                       

Testing akamai/shell:latest...

Organization:      ynohat
Package manager:   apk
Project name:      docker-image|akamai/shell
Docker image:      akamai/shell:latest
Platform:          linux/amd64
Base image:        alpine:3.13.7
Licenses:          enabled

✓ Tested 99 dependencies for known issues, no vulnerable paths found.

According to our scan, you are currently using the most secure version of the selected base image

The base image is fine ✅

It is not possible to scan beyond the base if I understand docker scan correctly, unless we provide the dockerfile used to build the image. This is unwieldy because of the layered approach to building the variants, but we can check manually:

Is log4j installed?

Akamai DevOps [/workdir] >> find / -name 'log4j*'
/cli/.akamai-cli/src/cli-sandbox/node_modules/log4js
/cli/.akamai-cli/src/cli-sandbox/node_modules/log4js/lib/log4js.js
/cli/.akamai-cli/src/cli-sandbox/node_modules/log4js/lib/log4js.json
/cli/.akamai-cli/src/cli-sandbox/node_modules/log4js/test/log4js.json
/cli/.akamai-cli/src/cli-property-manager/node_modules/log4js
/cli/.akamai-cli/src/cli-property-manager/node_modules/log4js/lib/log4js.js
/cli/.akamai-cli/src/cli-property-manager/node_modules/log4js/types/log4js.d.ts
/cli/.akamai-cli/src/cli-property/node_modules/log4js
/cli/.akamai-cli/src/cli-property/node_modules/log4js/lib/log4js.js
/cli/.akamai-cli/src/cli-property/node_modules/log4js/lib/log4js.json
/cli/.akamai-cli/src/cli-property/node_modules/log4js/test/log4js.json
/cli/.akamai-cli/src/cli-property/node_modules/pkg/dictionary/log4js.js
/cli/.akamai-cli/src/cli-edgeworkers/node_modules/log4js
/cli/.akamai-cli/src/cli-edgeworkers/node_modules/log4js/lib/log4js.js
/cli/.akamai-cli/src/cli-edgeworkers/node_modules/log4js/lib/log4js.json
/cli/.akamai-cli/src/cli-edgeworkers/node_modules/log4js/test/log4js.json
/cli/.akamai-cli/src/cli-appsec/node_modules/log4js
/cli/.akamai-cli/src/cli-appsec/node_modules/log4js/lib/log4js.js
/cli/.akamai-cli/src/cli-appsec/node_modules/log4js/lib/log4js.json
/cli/.akamai-cli/src/cli-appsec/node_modules/log4js/test/log4js.json

Only the nodejs port ✅

Is log4j bundled in other jars?

Akamai DevOps [/workdir] >> for f in $(find / -name '*.jar' 2>/dev/null); do echo "Checking $f..."; unzip -l "$f" | grep -F org/apache/logging/log4j/core/lookup/JndiLookup.class; done
Checking /usr/lib/jvm/java-1.8-openjdk/jre/lib/rt.jar...
Checking /usr/lib/jvm/java-1.8-openjdk/jre/lib/charsets.jar...
Checking /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/policy/unlimited/local_policy.jar...
Checking /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/policy/unlimited/US_export_policy.jar...
Checking /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/policy/limited/local_policy.jar...
Checking /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/policy/limited/US_export_policy.jar...
Checking /usr/lib/jvm/java-1.8-openjdk/jre/lib/ext/localedata.jar...
Checking /usr/lib/jvm/java-1.8-openjdk/jre/lib/ext/zipfs.jar...
Checking /usr/lib/jvm/java-1.8-openjdk/jre/lib/ext/sunjce_provider.jar...
Checking /usr/lib/jvm/java-1.8-openjdk/jre/lib/ext/dnsns.jar...
Checking /usr/lib/jvm/java-1.8-openjdk/jre/lib/ext/sunec.jar...
Checking /usr/lib/jvm/java-1.8-openjdk/jre/lib/ext/nashorn.jar...
Checking /usr/lib/jvm/java-1.8-openjdk/jre/lib/ext/sunpkcs11.jar...
Checking /usr/lib/jvm/java-1.8-openjdk/jre/lib/ext/jaccess.jar...
Checking /usr/lib/jvm/java-1.8-openjdk/jre/lib/ext/cldrdata.jar...
Checking /usr/lib/jvm/java-1.8-openjdk/jre/lib/jfr.jar...
Checking /usr/lib/jvm/java-1.8-openjdk/jre/lib/resources.jar...
Checking /usr/lib/jvm/java-1.8-openjdk/jre/lib/jce.jar...
Checking /usr/lib/jvm/java-1.8-openjdk/jre/lib/jsse.jar...
Checking /usr/lib/jvm/java-1.8-openjdk/jre/lib/management-agent.jar...
Checking /cli/.akamai-cli/cache/sandbox-cli/sandbox-client-1.4.0-RELEASE/lib/sandbox-client-1.4.0-RELEASE.jar...

No ✅