elasticsearch/trunk/patch-log4j-JAR-to-remove-JndiLookup-class-81629.patch

   1 From 9a3422e1a6cf519e3fedce396784be2ef48dc7f9 Mon Sep 17 00:00:00 2001
   2 From: Mark Vieira <portugee@gmail.com>
   3 Date: Fri, 10 Dec 2021 15:51:38 -0800
   4 Subject: [PATCH] Patch log4j JAR to remove JndiLookup class (#81629)
   5
   6
   7 diff --git a/distribution/build.gradle b/distribution/build.gradle
   8 index feab67bfbf8..76549a83d0b 100644
   9 --- a/distribution/build.gradle
  10 +++ b/distribution/build.gradle
  11 @@ -275,6 +275,10 @@ configure(subprojects.findAll { ['archives', 'packages'].contains(it.name) }) {
  12          }
  13        }
  14      }
  15 +    all {
  16 +      resolutionStrategy.dependencySubstitution {
  17 +        substitute module("org.apache.logging.log4j:log4j-core") using project(":libs:elasticsearch-log4j") because "patched to remove JndiLookup clas"}
  18 +    }
  19    }
  20
  21    dependencies {
  22 diff --git a/libs/build.gradle b/libs/build.gradle
  23 index 0614199b97b..952985f5aa5 100644
  24 --- a/libs/build.gradle
  25 +++ b/libs/build.gradle
  26 @@ -6,7 +6,7 @@
  27   * Side Public License, v 1.
  28   */
  29
  30 -subprojects {
  31 +configure(subprojects - project('elasticsearch-log4j')) {
  32    /*
  33     * All subprojects are java projects using Elasticsearch's standard build
  34     * tools.
  35 diff --git a/libs/log4j/build.gradle b/libs/log4j/build.gradle
  36 new file mode 100644
  37 index 00000000000..917a9f454a1
  38 --- /dev/null
  39 +++ b/libs/log4j/build.gradle
  40 @@ -0,0 +1,28 @@
  41 +plugins {
  42 +  id 'base'
  43 +  id 'elasticsearch.repositories'
  44 +}
  45 +
  46 +configurations {
  47 +  log4j {
  48 +    transitive = false
  49 +  }
  50 +}
  51 +
  52 +dependencies {
  53 +  log4j "org.apache.logging.log4j:log4j-core:${versions.log4j}"
  54 +}
  55 +
  56 +// Strip out JndiLookup class to avoid any possibility of exploitation of CVE-2021-44228
  57 +// See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
  58 +// See: https://issues.apache.org/jira/browse/LOG4J2-3201
  59 +def patchLog4j = tasks.register('patchLog4j', Zip) {
  60 +  archiveExtension = 'jar'
  61 +  from({ zipTree(configurations.log4j.singleFile) }) {
  62 +    exclude '**/JndiLookup.class'
  63 +  }
  64 +}
  65 +
  66 +artifacts {
  67 +  'default'(patchLog4j)
  68 +}
  69 --
  70 2.34.1
  71