From 616dfb0f19f7f93f6b33a9bf658e30a785b7c113 Mon Sep 17 00:00:00 2001 From: Dan Timoney Date: Wed, 15 Dec 2021 15:25:30 -0500 Subject: Remediate log4shell vulnerability Remove JndiLookup.class to remediate log4shell vulnerability Issue-ID: CCSDK-3556 Signed-off-by: Dan Timoney Change-Id: Iadfd1f01bd7949a1a60d67bb9dca121024adaeb8 Former-commit-id: 17f7ccb3e64db4e18780e01fcb29d663cff68d7e --- installation/dmaap-listener/src/main/docker/Dockerfile | 8 ++++++-- installation/sdnc/src/main/docker/Dockerfile | 7 +++++++ installation/ueb-listener/src/main/docker/Dockerfile | 8 +++++++- 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/installation/dmaap-listener/src/main/docker/Dockerfile b/installation/dmaap-listener/src/main/docker/Dockerfile index d3780e47..f6a034a8 100644 --- a/installation/dmaap-listener/src/main/docker/Dockerfile +++ b/installation/dmaap-listener/src/main/docker/Dockerfile @@ -1,11 +1,15 @@ # Base ubuntu with added packages needed for open ecomp FROM onap/ccsdk-alpine-j11-image:${ccsdk.docker.version} AS stage0 - +USER root ENV SDNC_CONFIG_DIR /opt/onap/sdnc/data/properties # copy deliverables to opt COPY opt /opt +# Remediate log4shell vuln +RUN apk add zip +RUN zip -q -d /opt/onap/sdnc/dmaap-listener/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class + # End of stage 0 FROM onap/ccsdk-alpine-j11-image:${ccsdk.docker.version} @@ -19,8 +23,8 @@ USER root # Create sdnc user RUN addgroup -S sdnc && adduser -S sdnc -G sdnc - # Copy /opt and change owner/group to sdnc COPY --from=stage0 --chown=sdnc:sdnc /opt /opt + USER sdnc \ No newline at end of file diff --git a/installation/sdnc/src/main/docker/Dockerfile b/installation/sdnc/src/main/docker/Dockerfile index 7bb3d23a..15a33d5a 100755 --- a/installation/sdnc/src/main/docker/Dockerfile +++ b/installation/sdnc/src/main/docker/Dockerfile @@ -60,9 +60,16 @@ RUN cp /opt/onap/sdnc/data/properties/svclogic-compiler.properties /opt/onap/sdn RUN find /opt/opendaylight -name "*features*.xml" -exec sed -i -e 's|4.0.1|3.1.0|g' {} \; # Short term fix ends +# Remediate log4shell vuln +RUN apk add zip +RUN find /opt/opendaylight/system/org/ops4j/pax/logging/pax-logging-log4j2 -name 'pax-logging-log4j2*.jar' -exec zip -q -d '{}' org/apache/logging/log4j/core/lookup/JndiLookup.class \; + + # Changing ownership and permission of /opt RUN chown -R odl:odl /opt && chmod -R 755 /opt + + ## END OF STAGE0 ## ################################################# diff --git a/installation/ueb-listener/src/main/docker/Dockerfile b/installation/ueb-listener/src/main/docker/Dockerfile index 88d31e31..0df998be 100644 --- a/installation/ueb-listener/src/main/docker/Dockerfile +++ b/installation/ueb-listener/src/main/docker/Dockerfile @@ -1,12 +1,18 @@ # Base alpine with added packages needed for open ecomp FROM onap/ccsdk-alpine-j11-image:${ccsdk.docker.version} AS stage0 - +USER root ENV SDNC_CONFIG_DIR /opt/onap/sdnc/data/properties # copy deliverables to opt COPY opt /opt +# Remediate log4shell vuln +RUN apk add zip +RUN zip -q -d /opt/onap/sdnc/ueb-listener/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class + + + # End of stage0 FROM onap/ccsdk-alpine-j11-image:${ccsdk.docker.version} -- cgit 1.2.3-korg