Remove JMSAppender.class to avoid CVE-2021-4104,
CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307. Though it does not contain a vulnerable configuration of log4j, to avoid needing to prove that and false positives of security scanners, this commit is the result of running the following commands: zip -q -d monasca_agent/collector/checks/libs/jmxfetch-0.3.0-jar-with-dependencies.jar org/apache/logging/log4j/core/lookup/JndiLookup.class org/apache/log4j/net/JMSAppender.class org/apache/log4j/jdbc/JDBCAppender.class org/apache/log4j/net/JMSSink.class org/apache/log4j/chainsaw"*" unzip monasca_agent/collector/checks/libs/jmxterm-1.0-DATADOG-uber.jar WORLDS-INF/lib/log4j.jar zip -q -d WORLDS-INF/lib/log4j.jar org/apache/logging/log4j/core/lookup/JndiLookup.class org/apache/log4j/net/JMSAppender.class org/apache/log4j/jdbc/JDBCAppender.class org/apache/log4j/net/JMSSink.class org/apache/log4j/chainsaw"*" zip monasca_agent/collector/checks/libs/jmxterm-1.0-DATADOG-uber.jar WORLDS-INF/lib/log4j.jar Change-Id: Id47ba9397e7fef1ac8622abb2a1691a260f4bc9c
This commit is contained in:
parent
052ab23048
commit
dbb766218e
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue