diff options
Diffstat (limited to 'patch-log4j-JAR-to-remove-JndiLookup-class-81629.patch')
-rw-r--r-- | patch-log4j-JAR-to-remove-JndiLookup-class-81629.patch | 71 |
1 files changed, 0 insertions, 71 deletions
diff --git a/patch-log4j-JAR-to-remove-JndiLookup-class-81629.patch b/patch-log4j-JAR-to-remove-JndiLookup-class-81629.patch deleted file mode 100644 index b0293d2e46e0..000000000000 --- a/patch-log4j-JAR-to-remove-JndiLookup-class-81629.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 9a3422e1a6cf519e3fedce396784be2ef48dc7f9 Mon Sep 17 00:00:00 2001 -From: Mark Vieira <portugee@gmail.com> -Date: Fri, 10 Dec 2021 15:51:38 -0800 -Subject: [PATCH] Patch log4j JAR to remove JndiLookup class (#81629) - - -diff --git a/distribution/build.gradle b/distribution/build.gradle -index feab67bfbf8..76549a83d0b 100644 ---- a/distribution/build.gradle -+++ b/distribution/build.gradle -@@ -275,6 +275,10 @@ configure(subprojects.findAll { ['archives', 'packages'].contains(it.name) }) { - } - } - } -+ all { -+ resolutionStrategy.dependencySubstitution { -+ substitute module("org.apache.logging.log4j:log4j-core") using project(":libs:elasticsearch-log4j") because "patched to remove JndiLookup clas"} -+ } - } - - dependencies { -diff --git a/libs/build.gradle b/libs/build.gradle -index 0614199b97b..952985f5aa5 100644 ---- a/libs/build.gradle -+++ b/libs/build.gradle -@@ -6,7 +6,7 @@ - * Side Public License, v 1. - */ - --subprojects { -+configure(subprojects - project('elasticsearch-log4j')) { - /* - * All subprojects are java projects using Elasticsearch's standard build - * tools. -diff --git a/libs/log4j/build.gradle b/libs/log4j/build.gradle -new file mode 100644 -index 00000000000..917a9f454a1 ---- /dev/null -+++ b/libs/log4j/build.gradle -@@ -0,0 +1,28 @@ -+plugins { -+ id 'base' -+ id 'elasticsearch.repositories' -+} -+ -+configurations { -+ log4j { -+ transitive = false -+ } -+} -+ -+dependencies { -+ log4j "org.apache.logging.log4j:log4j-core:${versions.log4j}" -+} -+ -+// Strip out JndiLookup class to avoid any possibility of exploitation of CVE-2021-44228 -+// See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 -+// See: https://issues.apache.org/jira/browse/LOG4J2-3201 -+def patchLog4j = tasks.register('patchLog4j', Zip) { -+ archiveExtension = 'jar' -+ from({ zipTree(configurations.log4j.singleFile) }) { -+ exclude '**/JndiLookup.class' -+ } -+} -+ -+artifacts { -+ 'default'(patchLog4j) -+} --- -2.34.1 - |