Open adamwight opened 2 years ago
Hi @adamwight. Yes oerworldmap uses log4j 2.9.1
, not directly but through the elasticsearch
dependency.
You can list the transitive dependencies by doing:
echo 'addSbtPlugin("net.virtual-void" % "sbt-dependency-graph" % "0.10.0-RC1")' >> project/plugins.sbt`; sbt compile:dependencyTree
As updating elasticsearch may come with API breaks this would possibly mean a lot of recoding.
But there is a workaround for fixing the security hole by removing the problematic class from the elasticsearch/lib
by doing:
cd ../third-party/elasticsearch-6.2.1/lib/
zip -q -d *log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
grep JndiLookup.class log4j-* // check if JndiLookup.class is really gone
and restarting elasticsearch. Did that already so the productive server should be safe.
This should be documented in the README.
Also this has to be done manually everytime after a sbt clean stage
:
cd ~/oerworldmap/target/universal/stage/lib
grep JndiLookup.class org.apache.logging.log4j.*
zip -q -d *log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
grep JndiLookup.class org.apache.logging.log4j.*
and restart oerworldmap.
We're using log4j-core-2.9.1, which is vulnerable to a real bad exploit. log4j must be updated to 2.15+, see https://logging.apache.org/log4j/2.x/security.html