(security) log4j vulneralility cve-2021-44228

2025-02-26 20:54:21 +01:00 · 2022-03-21 10:54:16 +01:00 · 2022-03-21 10:54:16 +01:00 · 665d569e16
commit 665d569e16
parent 36d85c0cf7
2 changed files with 29 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -15,6 +15,7 @@
 - Fix a bug: the version check may be scheduled at an invalid time
 - Fix a bug: the moment-timezone relied on an outdated version of moment with a case-sensitive locale file
 - Fix a bug: unable to delete an administrator who had closed an accounting period
+- Fix a security issue: removed message format in elasticsearch's log4j to fix [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228)
 - Fix a security issue: updated image_processing to 1.12.2 to fix [CVE-2022-24720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24720)
 - Fix a security issue: updated url-parse to 1.5.10 to fix [CVE-2022-0686](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686), [CVE-2022-0691](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691), [CVE-2022-0639](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639) and [CVE-2022-0512](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512)
 - Fix a security issue: updated rails to 5.2.6.3 to fix [CVE-2022-21831](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831), [CVE-2022-23633](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633)
@ -23,6 +24,7 @@
 - Fix a security issue: updated puma to 4.3.11 to fix [CVE-2022-23634](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634)
 - Fix a security issue: updated i18next-http-backend to 1.3.2 to fix [CVE-2022-0235](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0235)
 - Fix a security issue: updated follow-redirects to 1.18.8 to fix [CVE-2022-0536](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536)
+- [TODO DEPLOY] `\curl -sSL https://raw.githubusercontent.com/sleede/fab-manager/master/scripts/cve-2021-44228.sh | bash`

 ## v5.3.5 2022 March 02

--- a/scripts/cve-2021-44228.sh
+++ b/scripts/cve-2021-44228.sh
@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+# This script fixes the log4j CVE-2021-44228 vulnerability for instances using Elasticsearch 5.x
+
+yq() {
+  docker run --rm -i -v "${PWD}:/workdir" mikefarah/yq:4 "$@"
+}
+
+config() {
+  SERVICE="$(yq eval '.services.*.image | select(. == "elasticsearch:5*") | path | .[-2]' docker-compose.yml)"
+  if [ -z "$SERVICE" ]; then
+    echo "No Elasticsearch 5 image found in docker-compose.yml"
+    exit 0
+  fi
+}
+
+add_var() {
+  yq eval ".services.$SERVICE.environment += \"ES_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true\"" docker-compose.yml
+}
+
+proceed()
+{
+  config
+  add_var
+}
+
+proceed "$@"