Mitigate log4shell security flaw CVE-2021-44228, CVE-2021-45046, CVE-2021-45105. SYS-1129.

cea7d291 · Raphaël Flores · ace14a92 · cea7d291 · cea7d291
Verified Commit cea7d291 authored Dec 29, 2021 by Raphaël Flores
--- a/backend/build.gradle.kts
+++ b/backend/build.gradle.kts
@@ -99,6 +99,15 @@ dependencyManagement {
 }

 dependencies {
+    constraints {
+        implementation("org.apache.logging.log4j:log4j-core") {
+            version {
+                strictly("[2.17, 3[")
+                prefer("2.17.0")
+            }
+            because("CVE-2021-44228, CVE-2021-45046, CVE-2021-45105: Log4j vulnerable to remote code execution and other critical security vulnerabilities")
+        }
+    }
    // Spring
    annotationProcessor("org.springframework.boot:spring-boot-configuration-processor")


--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,6 +5,7 @@ services:
    container_name: elasticsearch-faidare
    environment:
      - discovery.type=single-node
+      - "ES_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true"
    ports:
      - 9200:9200