Remove harming Log4J class

See CVE-2021-44228 See https://logging.apache.org/log4j/2.x/security.html Unfortunately, upgrading to Log4J 2.15.0 is not possible because on uses an old version of ElasticSearch which relies on an old version of Log4J. See komoot/photon#620 for details.
OpenBfS · Dec 14, 2021 · 278cb6c · 278cb6c
1 parent 4f1d348
commit 278cb6c
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/nominatim/Dockerfile b/nominatim/Dockerfile
@@ -3,8 +3,9 @@ FROM ubuntu:20.04
 ARG NOMINATIM_TARBALL_URL
 ARG PHOTON_ZIP_URL_BASE
 ARG PHOTON_BRANCH_TAG
+ARG PHOTON_JAR_NAME
 
-RUN apt-get update -y && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y wget build-essential cmake g++ libboost-dev libboost-system-dev libboost-filesystem-dev libexpat1-dev zlib1g-dev libxml2-dev libbz2-dev libpq-dev libproj-dev php php-pgsql php-intl postgresql-server-dev-12 python3-psycopg2 python3-pip openjdk-11-jdk maven postgresql-client-12 unzip wait-for-it osmium-tool
+RUN apt-get update -y && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y wget build-essential cmake g++ libboost-dev libboost-system-dev libboost-filesystem-dev libexpat1-dev zlib1g-dev libxml2-dev libbz2-dev libpq-dev libproj-dev php php-pgsql php-intl postgresql-server-dev-12 python3-psycopg2 python3-pip openjdk-11-jdk maven postgresql-client-12 unzip wait-for-it osmium-tool zip
 
 RUN pip3 install osmium
 
@@ -16,7 +17,8 @@ RUN cd /nominatim/data && wget --quiet -O country_osm_grid.sql.gz https://www.no
 
 RUN wget --quiet -O /photon.zip $PHOTON_ZIP_URL_BASE/$PHOTON_BRANCH_TAG.zip && unzip -q -d /photon /photon.zip && mv /photon/photon-$PHOTON_BRANCH_TAG/src/ /photon/photon-$PHOTON_BRANCH_TAG/es/ /photon/photon-$PHOTON_BRANCH_TAG/website/ /photon/photon-$PHOTON_BRANCH_TAG/pom.xml /photon
 
-RUN mvn -q -f /photon/pom.xml compile package -DskipTests=true
+RUN mvn -q -f /photon/pom.xml compile package -DskipTests=true && \
+    zip -d $PHOTON_JAR_NAME org/apache/logging/log4j/core/lookup/JndiLookup.class
 
 COPY import-address-postcode-polygons-preserve.style /nominatim/settings/
 

diff --git a/photon-slave/Dockerfile b/photon-slave/Dockerfile
@@ -5,7 +5,7 @@ ARG PHOTON_ZIP_URL_BASE
 ARG PHOTON_BRANCH_TAG
 
 RUN apt-get update -y && \
-    DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y rsync openjdk-11-jdk maven openssh-client wget python3 unzip && \
+    DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y rsync openjdk-11-jdk maven openssh-client wget python3 unzip zip && \
     echo "A SSH public key will be copied into a Docker volume mounted at /ssh-authorized-keys in the next step. It will fail if you have not created this file yet! Please see the subsection \"SSH-Schlüssel\" in the chapter \"Geocoding\" in the setup guide for further details."
 
 COPY id_root_ed25519 /ssh-private-keys/id_root_ed25519
@@ -19,7 +19,8 @@ RUN mkdir -p /photon/photon-$PHOTON_BRANCH_TAG
 
 RUN wget --quiet -O /photon.zip $PHOTON_ZIP_URL_BASE/$PHOTON_BRANCH_TAG.zip && unzip -q -d /photon /photon.zip && mv /photon/photon-$PHOTON_BRANCH_TAG/src/ /photon/photon-$PHOTON_BRANCH_TAG/es/ /photon/photon-$PHOTON_BRANCH_TAG/website/ /photon/photon-$PHOTON_BRANCH_TAG/pom.xml /photon
 
-RUN mvn -q -f /photon/pom.xml compile package -DskipTests=true
+RUN mvn -q -f /photon/pom.xml compile package -DskipTests=true && \
+    zip -d /photon/target/photon-$PHOTON_VERSION.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
 
 COPY run_and_update.py /