Log4j remediation in the Docker image

Thu, 16 Dec 2021 06:36:04 -0800 


> On Dec 16, 2021, at 8:26 AM, Carlos Cueto <ccuet...@gmail.com> wrote:
> 
> Any idea when it will be available on Docker Hub? 8.11.1 tag is still not
> added.


I don’t know, but yesterday I went and changed my build process for our Docker 
image of Solr to delete the JNDI classes from the jar files as a stopgap until 
a proper 8.11.1 came out. See 
https://logging.apache.org/log4j/2.x/security.html for details.

This is how I did it.

To be able to delete the class files, one must use zip, so I had to install 
that in the container. To install zip in the container, I had to make a fake 
UserAgent file for apt-get to not get refused by the mirrors.

Here is my Dockerfile:

FROM solr:8.11.0

# https://hub.docker.com/_/solr/
# https://github.com/docker-solr/docker-solr#extending-the-image
# https://solr.apache.org/docs/8_11_0/changes/Changes.html

# The SOLR_xxxx vars override defaults.  See /etc/default/solr.in.sh in the 
container for more.

ENV \
    TZ=America/Chicago \
    SOLR_TIMEZONE=America/Chicago \
    SOLR_HEAP=20g


USER root
RUN \
    echo 'Installing additional packages' \
    && echo 'Create new agent to get around apt-get bugs per 
https://lists.debian.org/debian-user/2019/10/msg00629.html' \
    && echo 'Acquire' > /etc/apt/apt.conf.d/99useragent \
    && echo '{' >> /etc/apt/apt.conf.d/99useragent \
    && echo '  http::User-Agent "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) 
Gecko/20100101 Firefox/60.0";' >> /etc/apt/apt.conf.d/99useragent \
    && echo '};' >> /etc/apt/apt.conf.d/99useragent \
    && echo 'Done populating user agent' \
    && echo 'Installing zip' \
    && apt-get update \
    && apt-get install -y zip \
    && rm -rf /var/lib/apt/lists/* \
    && apt-get clean all \
    && echo 'Done installing additional packages' \
    && echo 'Delete JNDI from the log4j files in both Solr and the exporter' \
    && zip -q -d 
/opt/solr-8.11.0/contrib/prometheus-exporter/lib/log4j-core-2.14.1.jar 
org/apache/logging/log4j/core/lookup/JndiLookup.class \
    && zip -q -d /opt/solr-8.11.0/server/lib/ext/log4j-core-2.14.1.jar 
org/apache/logging/log4j/core/lookup/JndiLookup.class \
    && echo 'Deleted JNDI from jars'
USER solr

I hope this helps someone.

Andy

Reply via email to