From 5429e9889f162ab25b95273dabe8ed4aed5b7d64 Mon Sep 17 00:00:00 2001
From: Sylvain <sylvain@sleede.com>
Date: Tue, 30 Aug 2022 11:07:50 +0200
Subject: [PATCH] (security) log4j format message lookup disabled by default

---
 CHANGELOG.md                          | 1 +
 docker/development/docker-compose.yml | 2 +-
 setup/docker-compose.yml              | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5b61b4405..3c90972f5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
 - Refactored test helpers
 - Fix a bug: unable to generate statistics
 - Fix a bug: the automated test on statistics generation was not running
+- Fix a security issue: disable log4j format message lookup by default for new installations
 - [TODO DEPLOY] `rails fablab:maintenance:regenerate_statistics[2022,07]`
 
 ## v5.4.16 2022 August 24
diff --git a/docker/development/docker-compose.yml b/docker/development/docker-compose.yml
index ec66c0a2c..bf8f777bf 100644
--- a/docker/development/docker-compose.yml
+++ b/docker/development/docker-compose.yml
@@ -18,7 +18,7 @@ services:
   elasticsearch:
     image: elasticsearch:5.6
     environment:
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m -Dlog4j2.formatMsgNoLookups=true"
     ulimits:
       memlock:
         soft: -1
diff --git a/setup/docker-compose.yml b/setup/docker-compose.yml
index 6a24a9c51..f40e4cd7a 100644
--- a/setup/docker-compose.yml
+++ b/setup/docker-compose.yml
@@ -34,7 +34,7 @@ services:
   elasticsearch:
     image: elasticsearch:5.6
     environment:
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m -Dlog4j2.formatMsgNoLookups=true"
     ulimits:
       memlock:
         soft: -1