From: Dan Timoney <dtimoney@att.com>
Date: Wed, 15 Dec 2021 20:25:30 +0000 (-0500)
Subject: Remediate log4shell vulnerability
X-Git-Tag: 2.3.0~11^2
X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=3d0530cf0fdaf671799642a1cb82a199e5590433;hp=09fcafbe6a01ae18abaf7211a21e1bd1cca10431;p=sdnc%2Foam.git

Remediate log4shell vulnerability

Remove JndiLookup.class to remediate log4shell vulnerability

Issue-ID: CCSDK-3556
Signed-off-by: Dan Timoney <dtimoney@att.com>
Change-Id: Iadfd1f01bd7949a1a60d67bb9dca121024adaeb8

Former-commit-id: a2dd8e00057c772e57d8ddf4af15c8e942f66247
---

diff --git a/installation/dmaap-listener/src/main/docker/Dockerfile b/installation/dmaap-listener/src/main/docker/Dockerfile
index d3780e47..f6a034a8 100644
--- a/installation/dmaap-listener/src/main/docker/Dockerfile
+++ b/installation/dmaap-listener/src/main/docker/Dockerfile
@@ -1,11 +1,15 @@
 # Base ubuntu with added packages needed for open ecomp
 FROM onap/ccsdk-alpine-j11-image:${ccsdk.docker.version} AS stage0
-
+USER root
 ENV SDNC_CONFIG_DIR /opt/onap/sdnc/data/properties
 
 # copy deliverables to opt
 COPY opt /opt
 
+# Remediate log4shell vuln
+RUN apk add zip
+RUN zip -q -d /opt/onap/sdnc/dmaap-listener/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
+
 # End of stage 0
 
 FROM onap/ccsdk-alpine-j11-image:${ccsdk.docker.version}
@@ -19,8 +23,8 @@ USER root
 # Create sdnc user
 RUN addgroup -S sdnc && adduser -S sdnc -G sdnc
 
-
 # Copy /opt and change owner/group to sdnc
 COPY --from=stage0 --chown=sdnc:sdnc /opt /opt
 
+
 USER sdnc
\ No newline at end of file
diff --git a/installation/sdnc/src/main/docker/Dockerfile b/installation/sdnc/src/main/docker/Dockerfile
index 7bb3d23a..15a33d5a 100755
--- a/installation/sdnc/src/main/docker/Dockerfile
+++ b/installation/sdnc/src/main/docker/Dockerfile
@@ -60,9 +60,16 @@ RUN cp /opt/onap/sdnc/data/properties/svclogic-compiler.properties /opt/onap/sdn
 RUN find /opt/opendaylight -name "*features*.xml" -exec sed -i -e 's|4.0.1|3.1.0|g' {} \;
 # Short term fix ends
 
+# Remediate log4shell vuln
+RUN apk add zip
+RUN find /opt/opendaylight/system/org/ops4j/pax/logging/pax-logging-log4j2 -name 'pax-logging-log4j2*.jar' -exec zip -q -d '{}' org/apache/logging/log4j/core/lookup/JndiLookup.class \;
+
+
 # Changing ownership and permission of /opt
 RUN chown -R odl:odl /opt && chmod -R 755 /opt
 
+
+
 ## END OF STAGE0 ##
 
 #################################################
diff --git a/installation/ueb-listener/src/main/docker/Dockerfile b/installation/ueb-listener/src/main/docker/Dockerfile
index 88d31e31..0df998be 100644
--- a/installation/ueb-listener/src/main/docker/Dockerfile
+++ b/installation/ueb-listener/src/main/docker/Dockerfile
@@ -1,12 +1,18 @@
 # Base alpine with added packages needed for open ecomp
 FROM onap/ccsdk-alpine-j11-image:${ccsdk.docker.version} AS stage0
-
+USER root
 ENV SDNC_CONFIG_DIR /opt/onap/sdnc/data/properties
 
 
 # copy deliverables to opt
 COPY opt /opt
 
+# Remediate log4shell vuln
+RUN apk add zip
+RUN zip -q -d /opt/onap/sdnc/ueb-listener/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
+
+
+
 # End of stage0
 
 FROM onap/ccsdk-alpine-j11-image:${ccsdk.docker.version}