(security) log4j format message lookup disabled by default

2024-11-28 09:24:24 +01:00 · 2022-08-30 11:07:50 +02:00 · 2022-08-30 11:07:50 +02:00 · 5429e9889f
commit 5429e9889f
parent b9c02742a1
3 changed files with 3 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -5,6 +5,7 @@
 - Refactored test helpers
 - Fix a bug: unable to generate statistics
 - Fix a bug: the automated test on statistics generation was not running
+- Fix a security issue: disable log4j format message lookup by default for new installations
 - [TODO DEPLOY] `rails fablab:maintenance:regenerate_statistics[2022,07]`

 ## v5.4.16 2022 August 24
--- a/docker/development/docker-compose.yml
+++ b/docker/development/docker-compose.yml
@ -18,7 +18,7 @@ services:
  elasticsearch:
    image: elasticsearch:5.6
    environment:
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m -Dlog4j2.formatMsgNoLookups=true"
    ulimits:
      memlock:
        soft: -1
--- a/setup/docker-compose.yml
+++ b/setup/docker-compose.yml
@ -34,7 +34,7 @@ services:
  elasticsearch:
    image: elasticsearch:5.6
    environment:
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m -Dlog4j2.formatMsgNoLookups=true"
    ulimits:
      memlock:
        soft: -1