From 665d569e16d9c6293c3744dd9e96cde21094972a Mon Sep 17 00:00:00 2001
From: Sylvain <sylvain@sleede.com>
Date: Mon, 21 Mar 2022 10:54:16 +0100
Subject: [PATCH] (security) log4j vulneralility cve-2021-44228

---
 CHANGELOG.md              |  2 ++
 scripts/cve-2021-44228.sh | 27 +++++++++++++++++++++++++++
 2 files changed, 29 insertions(+)
 create mode 100644 scripts/cve-2021-44228.sh

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 29d7e61a0..485a41b3a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@
 - Fix a bug: the version check may be scheduled at an invalid time
 - Fix a bug: the moment-timezone relied on an outdated version of moment with a case-sensitive locale file
 - Fix a bug: unable to delete an administrator who had closed an accounting period
+- Fix a security issue: removed message format in elasticsearch's log4j to fix [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228)
 - Fix a security issue: updated image_processing to 1.12.2 to fix [CVE-2022-24720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24720)
 - Fix a security issue: updated url-parse to 1.5.10 to fix [CVE-2022-0686](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686), [CVE-2022-0691](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691), [CVE-2022-0639](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639) and [CVE-2022-0512](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512)
 - Fix a security issue: updated rails to 5.2.6.3 to fix [CVE-2022-21831](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831), [CVE-2022-23633](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633)
@@ -23,6 +24,7 @@
 - Fix a security issue: updated puma to 4.3.11 to fix [CVE-2022-23634](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634)
 - Fix a security issue: updated i18next-http-backend to 1.3.2 to fix [CVE-2022-0235](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0235)
 - Fix a security issue: updated follow-redirects to 1.18.8 to fix [CVE-2022-0536](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536)
+- [TODO DEPLOY] `\curl -sSL https://raw.githubusercontent.com/sleede/fab-manager/master/scripts/cve-2021-44228.sh | bash`
 
 ## v5.3.5 2022 March 02
 
diff --git a/scripts/cve-2021-44228.sh b/scripts/cve-2021-44228.sh
new file mode 100644
index 000000000..461d18238
--- /dev/null
+++ b/scripts/cve-2021-44228.sh
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+# This script fixes the log4j CVE-2021-44228 vulnerability for instances using Elasticsearch 5.x
+
+yq() {
+  docker run --rm -i -v "${PWD}:/workdir" mikefarah/yq:4 "$@"
+}
+
+config() {
+  SERVICE="$(yq eval '.services.*.image | select(. == "elasticsearch:5*") | path | .[-2]' docker-compose.yml)"
+  if [ -z "$SERVICE" ]; then
+    echo "No Elasticsearch 5 image found in docker-compose.yml"
+    exit 0
+  fi
+}
+
+add_var() {
+  yq eval ".services.$SERVICE.environment += \"ES_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true\"" docker-compose.yml
+}
+
+proceed()
+{
+  config
+  add_var
+}
+
+proceed "$@"