Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fixes for log4j CVE-2021-44228 (#11786) (#11789)
Apache Log4j2 JNDI features do not protect against attacker controlled
LDAP and other JNDI related endpoints.

- Configure log4j2.formatMsgNoLookups=true by default
- Update log4j to 2.15.0

Details: https://logging.apache.org/log4j/2.x/security.html
(cherry picked from commit eb0296d)
  • Loading branch information
mpfz0r committed Dec 10, 2021
1 parent 01d68e9 commit d3e441f
Show file tree
Hide file tree
Showing 3 changed files with 3 additions and 3 deletions.
2 changes: 1 addition & 1 deletion bin/graylogctl
Expand Up @@ -51,7 +51,7 @@ GRAYLOG_CONF=${GRAYLOG_CONF:=/etc/graylog/server/server.conf}
GRAYLOG_PID=${GRAYLOG_PID:=/tmp/graylog.pid}
LOG_FILE=${LOG_FILE:=log/graylog-server.log}
LOG4J=${LOG4J:=}
DEFAULT_JAVA_OPTS="-Djdk.tls.acknowledgeCloseNotify=true -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow"
DEFAULT_JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true -Djdk.tls.acknowledgeCloseNotify=true -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow"
if $JAVA_CMD -XX:+PrintFlagsFinal 2>&1 |grep -q UseParNewGC; then
DEFAULT_JAVA_OPTS="${DEFAULT_JAVA_OPTS} -XX:+UseParNewGC"
fi
Expand Down
Expand Up @@ -16,7 +16,7 @@ RUN \
echo "export JAVA_HOME=/usr/local/openjdk-8" > /etc/profile.d/graylog.sh && \
echo "export BUILD_DATE=${BUILD_DATE}" >> /etc/profile.d/graylog.sh && \
echo "export GRAYLOG_VERSION=${GRAYLOG_VERSION}" >> /etc/profile.d/graylog.sh && \
echo "export GRAYLOG_SERVER_JAVA_OPTS='-Djdk.tls.acknowledgeCloseNotify=true -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -XX:NewRatio=1 -XX:MaxMetaspaceSize=256m -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow " ${DEBUG_OPTS} "'" >> /etc/profile.d/graylog.sh && \
echo "export GRAYLOG_SERVER_JAVA_OPTS='-Dlog4j2.formatMsgNoLookups=true -Djdk.tls.acknowledgeCloseNotify=true -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -XX:NewRatio=1 -XX:MaxMetaspaceSize=256m -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow " ${DEBUG_OPTS} "'" >> /etc/profile.d/graylog.sh && \
echo "export GRAYLOG_HOME=${GRAYLOG_HOME}" >> /etc/profile.d/graylog.sh && \
echo "export GRAYLOG_USER=${GRAYLOG_USER}" >> /etc/profile.d/graylog.sh && \
echo "export GRAYLOG_GROUP=${GRAYLOG_GROUP}" >> /etc/profile.d/graylog.sh && \
Expand Down
2 changes: 1 addition & 1 deletion pom.xml
Expand Up @@ -130,7 +130,7 @@
<json-path.version>2.4.0</json-path.version>
<kafka.version>2.7.0</kafka.version>
<kafka09.version>0.9.0.1-6</kafka09.version>
<log4j.version>2.13.3</log4j.version>
<log4j.version>2.15.0</log4j.version>
<metrics.version>4.1.9</metrics.version>
<mongodb-driver.version>3.12.1</mongodb-driver.version>
<mongojack.version>2.10.1</mongojack.version>
Expand Down

0 comments on commit d3e441f

Please sign in to comment.