Apply mitigation for CVE-2021-45046

WadeBarnes · WadeBarnes · commit 3ee034ea6e45 · 2021-12-15T13:00:49.000-08:00
Mitigation documented here; https://logging.apache.org/log4j/2.x/security.html Signed-off-by: Wade Barnes <wade@neoterictech.ca>
diff --git a/Dockerfile b/Dockerfile
@@ -5,16 +5,25 @@ LABEL maintainer="emiliano.sune@gmail.com"
 USER root
 ENV STI_SCRIPTS_PATH=/usr/libexec/s2i
 
+RUN apt-get update && \
+    apt-get install zip
+
 # ===============================================================================================
-# Mitigation for CVE-2021-44228
+# Mitigation for CVE-2021-44228 and CVE-2021-45046
+#   - Set LOG4J_FORMAT_MSG_NO_LOOKUPS=true
+#   - Remove JndiLookup.class from the classpath.
 #
 # Upgrade to solr 8.11.1 or greater when availble.
 #
 # References:
 #   - https://logging.apache.org/log4j/2.x/security.html
 #   - https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
+#
+# Search for jars containing JndiLookup.class:
+#   - find / -name log4j-core*.jar -exec unzip -vl {} \; 2>/dev/null | grep JndiLookup.class
 # -----------------------------------------------------------------------------------------------
 ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true
+RUN find / -name log4j-core*.jar -exec zip -q -d {} org/apache/logging/log4j/core/lookup/JndiLookup.class \; 2>/dev/null
 # ===============================================================================================
 
 LABEL io.k8s.description="Run SOLR search in OpenShift" \
