Skip to content

secruity: Fix CVE-2021-44228 mitigation #1190

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 12, 2021
Merged

secruity: Fix CVE-2021-44228 mitigation #1190

merged 1 commit into from
Dec 12, 2021

Conversation

@StoneLabs
Copy link
Contributor

@StoneLabs StoneLabs commented Dec 12, 2021

Using rolling logs previously prevented the CVE-2021-44228 mitigation from working.
This commit forbids rolling logs if required to prevent CVE-2021-44228.

This can be considered a hotfix.

See #1189

@StoneLabs
Copy link
Contributor Author

StoneLabs commented Dec 12, 2021

Tested for ENABLE_ROLLING_LOGS=TRUE and FALSE for 1.12 and 1.18:

root@4125eb90c629:/# export VERSION=1.18
[...]
SETUP_ONLY: java -Xmx1G -Xms1G -Dlog4j.configurationFile=/data/log4j2.xml -Dlog4j2.formatMsgNoLookups=true -jar 

root@4125eb90c629:/# export VERSION=1.12
[...]
[init] ERROR: Using rolling logs is currently not possible in the selected version due to CVE-2021-44228

root@4125eb90c629:/# export ENABLE_ROLLING_LOGS=FALSE
[...]
SETUP_ONLY: java -Xmx1G -Xms1G -Dlog4j.configurationFile=log4j2_112-116.xml -jar minecraft_server.1.12.jar

root@4125eb90c629:/# export VERSION=1.18
[...]
SETUP_ONLY: java -Xmx1G -Xms1G -Dlog4j2.formatMsgNoLookups=true -jar minecraft_server.1.18.jar

@StoneLabs
Copy link
Contributor Author

StoneLabs commented Dec 12, 2021

wait, i PR'd the wrong code xD one second please

@StoneLabs StoneLabs marked this pull request as draft December 12, 2021 10:42
@StoneLabs
secruity: Fix CVE-2021-44228 mitigation
06052be 
Using rolling logs previously prevented the CVE-2021-44228 mitigation from working.
This commit forbids rolling logs if required to prevent CVE-2021-44228.

This can be considered a hotfix.
@StoneLabs StoneLabs marked this pull request as ready for review December 12, 2021 10:49
@StoneLabs
Copy link
Contributor Author

StoneLabs commented Dec 12, 2021

My bad. I've amended the correct code to the commit.
Should be good now.

itzg
itzg approved these changes Dec 12, 2021
View reviewed changes
Copy link
Owner

@itzg itzg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a great fix at this point. Someday I want to add a sub command to https://github.com/itzg/mc-image-helper to modify the application log4j config and insert the rolling log config.

@itzg itzg merged commit eccc989 into itzg:master Dec 12, 2021
@StoneLabs StoneLabs mentioned this pull request Dec 12, 2021
Closed
@itzg
Copy link
Owner

itzg commented Dec 12, 2021

This has been merged and pushed to all the image variants

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@itzg itzg itzg approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@StoneLabs @itzg