Needs "logshell" fix

[adamwight]

We're using log4j-core-2.9.1, which is vulnerable to a real bad exploit. log4j must be updated to 2.15+, see https://logging.apache.org/log4j/2.x/security.html

[dr0i]

Hi @adamwight. Yes oerworldmap uses log4j 2.9.1, not directly but through the elasticsearch dependency. You can list the transitive dependencies by doing:

echo 'addSbtPlugin("net.virtual-void" % "sbt-dependency-graph" % "0.10.0-RC1")' >> project/plugins.sbt`; sbt compile:dependencyTree

As updating elasticsearch may come with API breaks this would possibly mean a lot of recoding. But there is a workaround for fixing the security hole by removing the problematic class from the elasticsearch/lib by doing:

cd ../third-party/elasticsearch-6.2.1/lib/
zip -q -d *log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
grep JndiLookup.class log4j-* // check if JndiLookup.class is really gone

and restarting elasticsearch. Did that already so the productive server should be safe.

This should be documented in the README.

[dr0i]

Also this has to be done manually everytime after a sbt clean stage:

cd ~/oerworldmap/target/universal/stage/lib
grep JndiLookup.class org.apache.logging.log4j.*
zip -q -d *log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
grep JndiLookup.class org.apache.logging.log4j.*

and restart oerworldmap.