1
0
mirror of https://github.com/LaCasemate/fab-manager.git synced 2025-02-19 13:54:25 +01:00

(security) log4j vulneralility cve-2021-44228

This commit is contained in:
Sylvain 2022-03-21 10:54:16 +01:00
parent 36d85c0cf7
commit 665d569e16
2 changed files with 29 additions and 0 deletions

View File

@ -15,6 +15,7 @@
- Fix a bug: the version check may be scheduled at an invalid time
- Fix a bug: the moment-timezone relied on an outdated version of moment with a case-sensitive locale file
- Fix a bug: unable to delete an administrator who had closed an accounting period
- Fix a security issue: removed message format in elasticsearch's log4j to fix [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228)
- Fix a security issue: updated image_processing to 1.12.2 to fix [CVE-2022-24720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24720)
- Fix a security issue: updated url-parse to 1.5.10 to fix [CVE-2022-0686](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686), [CVE-2022-0691](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691), [CVE-2022-0639](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639) and [CVE-2022-0512](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512)
- Fix a security issue: updated rails to 5.2.6.3 to fix [CVE-2022-21831](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831), [CVE-2022-23633](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633)
@ -23,6 +24,7 @@
- Fix a security issue: updated puma to 4.3.11 to fix [CVE-2022-23634](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634)
- Fix a security issue: updated i18next-http-backend to 1.3.2 to fix [CVE-2022-0235](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0235)
- Fix a security issue: updated follow-redirects to 1.18.8 to fix [CVE-2022-0536](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536)
- [TODO DEPLOY] `\curl -sSL https://raw.githubusercontent.com/sleede/fab-manager/master/scripts/cve-2021-44228.sh | bash`
## v5.3.5 2022 March 02

27
scripts/cve-2021-44228.sh Normal file
View File

@ -0,0 +1,27 @@
#!/usr/bin/env bash
# This script fixes the log4j CVE-2021-44228 vulnerability for instances using Elasticsearch 5.x
yq() {
docker run --rm -i -v "${PWD}:/workdir" mikefarah/yq:4 "$@"
}
config() {
SERVICE="$(yq eval '.services.*.image | select(. == "elasticsearch:5*") | path | .[-2]' docker-compose.yml)"
if [ -z "$SERVICE" ]; then
echo "No Elasticsearch 5 image found in docker-compose.yml"
exit 0
fi
}
add_var() {
yq eval ".services.$SERVICE.environment += \"ES_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true\"" docker-compose.yml
}
proceed()
{
config
add_var
}
proceed "$@"