Mitigations for Log4J CVE-2021-44228 (#209)

* Fix for Log4J CVE-2021-44228 - Global environment variable. As noted in https://www.sentinelone.com/blog/cve-2021-44228-staying-secure-apache-log4j-vulnerability/ Setting the enviroment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. * Update Solr version with Log4J update. * Directly remove Jndi lookup class from Log4j core JAR files. * DOn't run JNDI fix on Solr 8.11.1 * Ignore errors removing JNDI class from Solr i.e., already done.
Islandora-Devops · Jan 13, 2022 · 3e502a3 · 3e502a3
1 parent f38625e
commit 3e502a3
Show file tree

Hide file tree

Showing 6 changed files with 38 additions and 4 deletions.
diff --git a/bootstrap.yml b/bootstrap.yml
@@ -83,6 +83,14 @@
       when:  defaultdir_exists.stat.exists == true
       become: yes
 
+    - name: populate /etc/environment
+      lineinfile:
+        dest: "/etc/environment"
+        state: present
+        regexp: "^{{ item.key }}="
+        line: "{{ item.key }}={{ item.value}}"
+      with_items: "{{ os_environment }}"
+
     # Include install profile-specific variables
     - name: include Drupal install profile specific variables
       include_vars: "vars/{{ islandora_profile }}.yml"
diff --git a/inventory/vagrant/group_vars/all/main.yml b/inventory/vagrant/group_vars/all/main.yml
@@ -39,3 +39,8 @@ mysql_users:
 # Used by both the webserver and crayfish role for CentOS.
 php_enablerepo: "remi-php72"
 php_packages_state: "latest"
+
+# Log4j 
+os_environment:
+  - key: LOG4J_FORMAT_MSG_NO_LOOKUPS 
+    value: true
diff --git a/inventory/vagrant/group_vars/solr.yml b/inventory/vagrant/group_vars/solr.yml
@@ -1,4 +1,4 @@
-#solr_version: "7.7.3"
+solr_version: "8.11.1"
 
 solr_cores:
   - ISLANDORA

diff --git a/requirements.yml b/requirements.yml
@@ -29,7 +29,7 @@
   version: 1.4.3
 
 - src: geerlingguy.solr
-  version: 5.2.0
+  version: 5.3.0
 
 - src: geerlingguy.java
   version: 1.10.0

diff --git a/roles/internal/Islandora-Devops.tomcat8/tasks/main.yml b/roles/internal/Islandora-Devops.tomcat8/tasks/main.yml
@@ -11,8 +11,7 @@
     - tomcat9
     - tomcat9-install
 
-- include: config.yml
-  static: no
+- include_tasks: config.yml
   tags:
     - tomcat9
     - tomcat9-config
diff --git a/solr.yml b/solr.yml
@@ -70,3 +70,25 @@
       retries: 20
       delay: 3
       tags: solr
+
+    # Log4j December 2021 vulnurability fix.
+    - name: Install zip command
+      apt:
+        name: "zip"
+        state: present
+        cache_valid_time: 3600
+
+    - name: Find any instances of vulnurable Log4J core JAR file
+      command: "find / -name log4j-core-2.1[0,1,2,3,4,5].?.jar"
+      register: log4j_jars
+      changed_when: false
+      until: files_to_copy is not failed
+      retries: 5
+      tags: solr
+
+    - name: Delete Log4J JNDI class from JARs
+      command: "zip -q -d {{ item }} org/apache/logging/log4j/core/lookup/JndiLookup.class"
+      with_items:
+        - "{{ log4j_jars.stdout_lines }}"
+      ignore_errors: yes
+      tags: solr