Patch elasticsearch to use log4j 2.17.0

openvidu-server/docker/openvidu-elasticsearch/Dockerfile

@@ -1,15 +0,0 @@
-ARG ELASTICSEARCH_VERSION
-FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTICSEARCH_VERSION}
-
-# Remove class which causes the CVE-2021-44228 and CVE-2021-45046 and disable log4j Message lookup
-# Elasticsearch mention that versions using jdk9+ they use a property which makes elasticsearch not susceptible of
-# RCE or DNS lookup. This is just to be 100% sure that the library can not potentialy in the future be triggered.
-# Those mitigation are the recommended ones:
-# - https://xeraa.net/blog/2021_mitigate-log4j2-log4shell-elasticsearch/
-# - https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
-ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true
-RUN for jar_file in $(find / -name '*.jar' -exec grep -Hls JndiLookup.class {} \;); do \
-        zip -q -d "${jar_file}" org/apache/logging/log4j/core/lookup/JndiLookup.class; \
-    done
-
-

openvidu-server/docker/openvidu-elasticsearch/create_image.sh

@@ -1,7 +1,22 @@
 #!/bin/bash -x
+set -eu -o pipefail
 VERSION=$1
-if [[ ! -z $VERSION ]]; then
-    docker build --pull --no-cache --rm=true --build-arg ELASTICSEARCH_VERSION="$VERSION" -t openvidu/openvidu-elasticsearch:$VERSION .
+if [[ -n $VERSION ]]; then
+    rm -rf dockerfiles/
+    # Clone elasticsearch repositories
+    git clone https://github.com/elastic/dockerfiles
+    # Go to the specified version
+    cd dockerfiles || exit 1
+    git checkout v"${VERSION}"
+    cd ..
+    # Copy the patch into elasticsearch directory
+    cp elasticsearch_"${VERSION}"_patch_log4j.diff dockerfiles/elasticsearch
+    # Enter elasticsearch directory
+    cd dockerfiles/elasticsearch || exit 1
+    # Patch Dockerfile
+    patch < elasticsearch_"${VERSION}"_patch_log4j.diff
+    docker build --pull --no-cache --rm=true -t openvidu/openvidu-elasticsearch:"$VERSION" .
+    cd ../../ && rm -rf dockerfiles/
 else
     echo "Error: You need to specify a version as first argument"
 fi

openvidu-server/docker/openvidu-elasticsearch/elasticsearch_7.6.2_patch_log4j.diff

@@ -0,0 +1,25 @@
+--- Dockerfile	2021-12-20 12:08:44.603000000 +0100
++++ Dockerfile_new	2021-12-20 12:08:21.988000000 +0100
+@@ -21,9 +21,20 @@
+ 
+ WORKDIR /usr/share/elasticsearch
+ 
+-RUN cd /opt && curl --retry 8 -s -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.6.2-linux-x86_64.tar.gz && cd -
++RUN cd /opt && \
++    curl --retry 8 -s -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.6.2-linux-x86_64.tar.gz && cd - && \
++    tar zxf /opt/elasticsearch-7.6.2-linux-x86_64.tar.gz --strip-components=1 && \
++    # Remove SQS CLI which contains outdated log4j
++    rm /usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.6.2.jar && \
++    # Download log4j-api and log4j-core 2.17.0
++    curl https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.0/log4j-core-2.17.0.jar -o log4j-core-2.17.0.jar && \
++    curl https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.0/log4j-api-2.17.0.jar -o log4j-api-2.17.0.jar && \
++    # Remove outdated versions
++    rm /usr/share/elasticsearch/lib/log4j-core-*.jar && \
++    rm /usr/share/elasticsearch/lib/log4j-api-*.jar && \
++    # Move new lib
++    mv log4j-core-2.17.0.jar log4j-api-2.17.0.jar /usr/share/elasticsearch/lib/
+ 
+-RUN tar zxf /opt/elasticsearch-7.6.2-linux-x86_64.tar.gz --strip-components=1
+ RUN grep ES_DISTRIBUTION_TYPE=tar /usr/share/elasticsearch/bin/elasticsearch-env     && sed -i -e 's/ES_DISTRIBUTION_TYPE=tar/ES_DISTRIBUTION_TYPE=docker/' /usr/share/elasticsearch/bin/elasticsearch-env
+ RUN mkdir -p config data logs
+ RUN chmod 0775 config data logs

openvidu-server/docker/openvidu-elasticsearch/elasticsearch_7.8.0_patch_log4j.diff

@@ -0,0 +1,25 @@
+--- Dockerfile	2021-12-20 11:10:54.760000000 +0100
++++ Dockerfile_new	2021-12-20 11:11:00.512000000 +0100
+@@ -43,10 +43,19 @@
+ 
+ RUN curl --retry 8 -S -L \
+       --output /opt/elasticsearch.tar.gz \
+-      https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.8.0-linux-$(arch).tar.gz
++      https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.8.0-linux-$(arch).tar.gz && \
++      tar zxf /opt/elasticsearch.tar.gz --strip-components=1 && \
++      # Remove SQS CLI which contains outdated log4j
++      rm /usr/share/elasticsearch/bin/elasticsearch-sql-cli-7.8.0.jar && \
++      # Download log4j-api and log4j-core 2.17.0
++      curl https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.0/log4j-core-2.17.0.jar -o log4j-core-2.17.0.jar && \
++      curl https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.0/log4j-api-2.17.0.jar -o log4j-api-2.17.0.jar && \
++      # Remove outdated versions
++      rm /usr/share/elasticsearch/lib/log4j-core-*.jar && \
++      rm /usr/share/elasticsearch/lib/log4j-api-*.jar && \
++      # Move new lib
++      mv log4j-core-2.17.0.jar log4j-api-2.17.0.jar /usr/share/elasticsearch/lib/
+ 
+-
+-RUN tar zxf /opt/elasticsearch.tar.gz --strip-components=1
+ RUN sed -i -e 's/ES_DISTRIBUTION_TYPE=tar/ES_DISTRIBUTION_TYPE=docker/' /usr/share/elasticsearch/bin/elasticsearch-env
+ RUN mkdir -p config config/jvm.options.d data logs
+ RUN chmod 0775 config config/jvm.options.d data logs