-Dlog4j2.formatMsgNoLookups=true for Debian/Ubuntu package (CVE-2021-44228)

Description

Adding -Dlog4j2.formatMsgNoLookups=true to the environment setup of okapi in the debian/ubuntu package fixed the log4j issue:

https://github.com/julianladisch/okapi/blob/master/.github/workflows/log4j-debian.yml

Successful run:
https://github.com/julianladisch/okapi/runs/4504598357?check_suite_focus=true

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Linked issues

defines

FOLIO-3364

Update everything to log4j >= 2.16.0 fixing remote execution (CVE-2021-44228)

relates to

OKAPI-1046

Log4j 2.15.0 fixing remote execution (CVE-2021-44228)

Checklist

hide

TestRail: Results

Activity

Show:

Julian Ladisch December 13, 2021 at 12:38 PM

We know that Log4j 2.15.0 is not a complete fix: https://issues.apache.org/jira/browse/LOG4J2-3208

Using only -Dlog4j2.formatMsgNoLookups=true fixed the issue for okapi 4.9.0-1 debian/ubuntu package.

Adding the option has no disadvantages.

But it is an additional lock if anything goes wrong, for example if there is some strange dependency.

We can remove this options when Okapi has updated to the log4j version with the LOG4J2-3208 fix and we are sure that we don't need it.

Jakub Skoczen December 13, 2021 at 11:51 AM

please clarify on this ticket why we need this in addition to , thanks.

Done

Details

Assignee

Julian Ladisch

Reporter

Julian Ladisch

Labels

log4j-workaroundsecurity

Priority

TBD

Story Points

Sprint

None

Development Team

Core: Platform

Fix versions

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created December 13, 2021 at 11:15 AM

Updated December 13, 2021 at 3:39 PM

Resolved December 13, 2021 at 11:53 AM

Configure

TestRail: Cases

TestRail: Runs