Skip to content

Commit eb0296d

Browse files
mpfz0rmpfz0r
authored
Fixes for log4j CVE-2021-44228 (#11786)
Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints. - Configure log4j2.formatMsgNoLookups=true by default - Update log4j to 2.15.0 Details: https://logging.apache.org/log4j/2.x/security.html
1 parent 1fed9cd commit eb0296d

File tree

3 files changed

+3
-3
lines changed

3 files changed

+3
-3
lines changed

bin/graylogctl

+1-1
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ GRAYLOG_CONF=${GRAYLOG_CONF:=/etc/graylog/server/server.conf}
5151
GRAYLOG_PID=${GRAYLOG_PID:=/tmp/graylog.pid}
5252
LOG_FILE=${LOG_FILE:=log/graylog-server.log}
5353
LOG4J=${LOG4J:=}
54-
DEFAULT_JAVA_OPTS="-Djdk.tls.acknowledgeCloseNotify=true -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow"
54+
DEFAULT_JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true -Djdk.tls.acknowledgeCloseNotify=true -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow"
5555
if $JAVA_CMD -XX:+PrintFlagsFinal 2>&1 |grep -q UseParNewGC; then
5656
DEFAULT_JAVA_OPTS="${DEFAULT_JAVA_OPTS} -XX:+UseParNewGC"
5757
fi

graylog2-server/src/test/resources/org/graylog/testing/graylognode/Dockerfile

+1-1
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ RUN \
1616
echo "export JAVA_HOME=/usr/local/openjdk-8" > /etc/profile.d/graylog.sh && \
1717
echo "export BUILD_DATE=${BUILD_DATE}" >> /etc/profile.d/graylog.sh && \
1818
echo "export GRAYLOG_VERSION=${GRAYLOG_VERSION}" >> /etc/profile.d/graylog.sh && \
19-
echo "export GRAYLOG_SERVER_JAVA_OPTS='-Djdk.tls.acknowledgeCloseNotify=true -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -XX:NewRatio=1 -XX:MaxMetaspaceSize=256m -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow " ${DEBUG_OPTS} "'" >> /etc/profile.d/graylog.sh && \
19+
echo "export GRAYLOG_SERVER_JAVA_OPTS='-Dlog4j2.formatMsgNoLookups=true -Djdk.tls.acknowledgeCloseNotify=true -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -XX:NewRatio=1 -XX:MaxMetaspaceSize=256m -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow " ${DEBUG_OPTS} "'" >> /etc/profile.d/graylog.sh && \
2020
echo "export GRAYLOG_HOME=${GRAYLOG_HOME}" >> /etc/profile.d/graylog.sh && \
2121
echo "export GRAYLOG_USER=${GRAYLOG_USER}" >> /etc/profile.d/graylog.sh && \
2222
echo "export GRAYLOG_GROUP=${GRAYLOG_GROUP}" >> /etc/profile.d/graylog.sh && \

pom.xml

+1-1
Original file line numberDiff line numberDiff line change
@@ -132,7 +132,7 @@
132132
<json-path.version>2.4.0</json-path.version>
133133
<kafka.version>2.7.0</kafka.version>
134134
<kafka09.version>0.9.0.1-6</kafka09.version>
135-
<log4j.version>2.13.3</log4j.version>
135+
<log4j.version>2.15.0</log4j.version>
136136
<lucene.version>8.10.1</lucene.version>
137137
<metrics.version>4.1.9</metrics.version>
138138
<mongodb-driver.version>3.12.1</mongodb-driver.version>

0 commit comments

Comments
 (0)