From 3d0530cf0fdaf671799642a1cb82a199e5590433 Mon Sep 17 00:00:00 2001 From: Dan Timoney Date: Wed, 15 Dec 2021 15:25:30 -0500 Subject: Remediate log4shell vulnerability Remove JndiLookup.class to remediate log4shell vulnerability Issue-ID: CCSDK-3556 Signed-off-by: Dan Timoney Change-Id: Iadfd1f01bd7949a1a60d67bb9dca121024adaeb8 Former-commit-id: a2dd8e00057c772e57d8ddf4af15c8e942f66247 --- installation/dmaap-listener/src/main/docker/Dockerfile | 8 ++++++-- installation/sdnc/src/main/docker/Dockerfile | 7 +++++++ installation/ueb-listener/src/main/docker/Dockerfile | 8 +++++++- 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/installation/dmaap-listener/src/main/docker/Dockerfile b/installation/dmaap-listener/src/main/docker/Dockerfile index d3780e47..f6a034a8 100644 --- a/installation/dmaap-listener/src/main/docker/Dockerfile +++ b/installation/dmaap-listener/src/main/docker/Dockerfile @@ -1,11 +1,15 @@ # Base ubuntu with added packages needed for open ecomp FROM onap/ccsdk-alpine-j11-image:${ccsdk.docker.version} AS stage0 - +USER root ENV SDNC_CONFIG_DIR /opt/onap/sdnc/data/properties # copy deliverables to opt COPY opt /opt +# Remediate log4shell vuln +RUN apk add zip +RUN zip -q -d /opt/onap/sdnc/dmaap-listener/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class + # End of stage 0 FROM onap/ccsdk-alpine-j11-image:${ccsdk.docker.version} @@ -19,8 +23,8 @@ USER root # Create sdnc user RUN addgroup -S sdnc && adduser -S sdnc -G sdnc - # Copy /opt and change owner/group to sdnc COPY --from=stage0 --chown=sdnc:sdnc /opt /opt + USER sdnc \ No newline at end of file diff --git a/installation/sdnc/src/main/docker/Dockerfile b/installation/sdnc/src/main/docker/Dockerfile index 7bb3d23a..15a33d5a 100755 --- a/installation/sdnc/src/main/docker/Dockerfile +++ b/installation/sdnc/src/main/docker/Dockerfile @@ -60,9 +60,16 @@ RUN cp /opt/onap/sdnc/data/properties/svclogic-compiler.properties /opt/onap/sdn RUN find /opt/opendaylight -name "*features*.xml" -exec sed -i -e 's|4.0.1|3.1.0|g' {} \; # Short term fix ends +# Remediate log4shell vuln +RUN apk add zip +RUN find /opt/opendaylight/system/org/ops4j/pax/logging/pax-logging-log4j2 -name 'pax-logging-log4j2*.jar' -exec zip -q -d '{}' org/apache/logging/log4j/core/lookup/JndiLookup.class \; + + # Changing ownership and permission of /opt RUN chown -R odl:odl /opt && chmod -R 755 /opt + + ## END OF STAGE0 ## ################################################# diff --git a/installation/ueb-listener/src/main/docker/Dockerfile b/installation/ueb-listener/src/main/docker/Dockerfile index 88d31e31..0df998be 100644 --- a/installation/ueb-listener/src/main/docker/Dockerfile +++ b/installation/ueb-listener/src/main/docker/Dockerfile @@ -1,12 +1,18 @@ # Base alpine with added packages needed for open ecomp FROM onap/ccsdk-alpine-j11-image:${ccsdk.docker.version} AS stage0 - +USER root ENV SDNC_CONFIG_DIR /opt/onap/sdnc/data/properties # copy deliverables to opt COPY opt /opt +# Remediate log4shell vuln +RUN apk add zip +RUN zip -q -d /opt/onap/sdnc/ueb-listener/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class + + + # End of stage0 FROM onap/ccsdk-alpine-j11-image:${ccsdk.docker.version} -- cgit 1.2.3-korg