From 71fcb50e179e8ff6f36ccc96fefc1d9fb484c734 Mon Sep 17 00:00:00 2001 From: Chris Hegarty <62058229+ChrisHegarty@users.noreply.github.com> Date: Sat, 18 Dec 2021 21:01:49 +0000 Subject: [PATCH] [6.8.22] Upgrade to log4j 2.17.0 (#81906) Backport of: Upgrade to log4j 2.17.0 Upgrade to log4j 2.17.0 #81902 Tolerate unprivileged log4j getClassLoaders calls Tolerate unprivileged log4j getClassLoaders calls #81840 Tolerate benign log4j status messages in tests Tolerate benign log4j status messages in tests #81851 --- buildSrc/version.properties | 2 +- .../licenses/log4j-slf4j-impl-2.11.1.jar.sha1 | 1 - .../licenses/log4j-slf4j-impl-2.17.0.jar.sha1 | 1 + server/build.gradle | 2 -- server/licenses/log4j-1.2-api-2.11.1.jar.sha1 | 1 - server/licenses/log4j-1.2-api-2.17.0.jar.sha1 | 1 + server/licenses/log4j-api-2.11.1.jar.sha1 | 1 - server/licenses/log4j-api-2.17.0.jar.sha1 | 1 + server/licenses/log4j-core-2.11.1.jar.sha1 | 1 - server/licenses/log4j-core-2.17.0.jar.sha1 | 1 + .../org/elasticsearch/bootstrap/ESPolicy.java | 26 +++++++++++++++++++ .../org/elasticsearch/test/ESTestCase.java | 23 +++++++++++++++- .../licenses/log4j-slf4j-impl-2.11.1.jar.sha1 | 1 - .../licenses/log4j-slf4j-impl-2.17.0.jar.sha1 | 1 + x-pack/plugin/sql/sql-action/build.gradle | 2 -- .../licenses/log4j-api-2.11.1.jar.sha1 | 1 - .../licenses/log4j-api-2.17.0.jar.sha1 | 1 + .../licenses/log4j-core-2.11.1.jar.sha1 | 1 - .../licenses/log4j-core-2.17.0.jar.sha1 | 1 + 19 files changed, 56 insertions(+), 13 deletions(-) delete mode 100644 plugins/repository-hdfs/licenses/log4j-slf4j-impl-2.11.1.jar.sha1 create mode 100644 plugins/repository-hdfs/licenses/log4j-slf4j-impl-2.17.0.jar.sha1 delete mode 100644 server/licenses/log4j-1.2-api-2.11.1.jar.sha1 create mode 100644 server/licenses/log4j-1.2-api-2.17.0.jar.sha1 delete mode 100644 server/licenses/log4j-api-2.11.1.jar.sha1 create mode 100644 server/licenses/log4j-api-2.17.0.jar.sha1 delete mode 100644 server/licenses/log4j-core-2.11.1.jar.sha1 create mode 100644 server/licenses/log4j-core-2.17.0.jar.sha1 delete mode 100644 x-pack/plugin/security/licenses/log4j-slf4j-impl-2.11.1.jar.sha1 create mode 100644 x-pack/plugin/security/licenses/log4j-slf4j-impl-2.17.0.jar.sha1 delete mode 100644 x-pack/plugin/sql/sql-action/licenses/log4j-api-2.11.1.jar.sha1 create mode 100644 x-pack/plugin/sql/sql-action/licenses/log4j-api-2.17.0.jar.sha1 delete mode 100644 x-pack/plugin/sql/sql-action/licenses/log4j-core-2.11.1.jar.sha1 create mode 100644 x-pack/plugin/sql/sql-action/licenses/log4j-core-2.17.0.jar.sha1 diff --git a/buildSrc/version.properties b/buildSrc/version.properties index f99847b27c137..6ffe28314cc63 100644 --- a/buildSrc/version.properties +++ b/buildSrc/version.properties @@ -12,7 +12,7 @@ snakeyaml = 1.17 icu4j = 62.1 supercsv = 2.4.0 # when updating log4j, please update also docs/java-api/index.asciidoc -log4j = 2.11.1 +log4j = 2.17.0 slf4j = 1.6.2 # when updating the JNA version, also update the version in buildSrc/build.gradle diff --git a/plugins/repository-hdfs/licenses/log4j-slf4j-impl-2.11.1.jar.sha1 b/plugins/repository-hdfs/licenses/log4j-slf4j-impl-2.11.1.jar.sha1 deleted file mode 100644 index 6178556b31848..0000000000000 --- a/plugins/repository-hdfs/licenses/log4j-slf4j-impl-2.11.1.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -4b41b53a3a2d299ce381a69d165381ca19f62912 \ No newline at end of file diff --git a/plugins/repository-hdfs/licenses/log4j-slf4j-impl-2.17.0.jar.sha1 b/plugins/repository-hdfs/licenses/log4j-slf4j-impl-2.17.0.jar.sha1 new file mode 100644 index 0000000000000..fad46c4bc20fb --- /dev/null +++ b/plugins/repository-hdfs/licenses/log4j-slf4j-impl-2.17.0.jar.sha1 @@ -0,0 +1 @@ +1ec25ce0254749c94549ea9c3cea34bd0488c9c6 \ No newline at end of file diff --git a/server/build.gradle b/server/build.gradle index bfda7942b7959..172a61f23db6f 100644 --- a/server/build.gradle +++ b/server/build.gradle @@ -283,13 +283,11 @@ thirdPartyAudit.ignoreMissingClasses ( 'org.apache.commons.compress.utils.IOUtils', 'org.apache.commons.csv.CSVFormat', 'org.apache.commons.csv.QuoteMode', - 'org.apache.kafka.clients.producer.Callback', 'org.apache.kafka.clients.producer.KafkaProducer', 'org.apache.kafka.clients.producer.Producer', 'org.apache.kafka.clients.producer.ProducerRecord', 'org.apache.kafka.clients.producer.RecordMetadata', 'org.codehaus.stax2.XMLStreamWriter2', - 'org.jctools.queues.MessagePassingQueue$Consumer', 'org.jctools.queues.MpscArrayQueue', 'org.osgi.framework.AdaptPermission', 'org.osgi.framework.AdminPermission', diff --git a/server/licenses/log4j-1.2-api-2.11.1.jar.sha1 b/server/licenses/log4j-1.2-api-2.11.1.jar.sha1 deleted file mode 100644 index 575d75dbda8c5..0000000000000 --- a/server/licenses/log4j-1.2-api-2.11.1.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -3aba3398fe064a3eab4331f88161c7480e848418 \ No newline at end of file diff --git a/server/licenses/log4j-1.2-api-2.17.0.jar.sha1 b/server/licenses/log4j-1.2-api-2.17.0.jar.sha1 new file mode 100644 index 0000000000000..e589ba5d981a0 --- /dev/null +++ b/server/licenses/log4j-1.2-api-2.17.0.jar.sha1 @@ -0,0 +1 @@ +aaf998968370edf738322fb750fbda118055508b \ No newline at end of file diff --git a/server/licenses/log4j-api-2.11.1.jar.sha1 b/server/licenses/log4j-api-2.11.1.jar.sha1 deleted file mode 100644 index 4b1bfffac179f..0000000000000 --- a/server/licenses/log4j-api-2.11.1.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -268f0fe4df3eefe052b57c87ec48517d64fb2a10 \ No newline at end of file diff --git a/server/licenses/log4j-api-2.17.0.jar.sha1 b/server/licenses/log4j-api-2.17.0.jar.sha1 new file mode 100644 index 0000000000000..400d6bd606f5b --- /dev/null +++ b/server/licenses/log4j-api-2.17.0.jar.sha1 @@ -0,0 +1 @@ +bbd791e9c8c9421e45337c4fe0a10851c086e36c \ No newline at end of file diff --git a/server/licenses/log4j-core-2.11.1.jar.sha1 b/server/licenses/log4j-core-2.11.1.jar.sha1 deleted file mode 100644 index f28de4bb600d8..0000000000000 --- a/server/licenses/log4j-core-2.11.1.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -fe18be6aecfbf008a8f479397d233dcf089e9643 \ No newline at end of file diff --git a/server/licenses/log4j-core-2.17.0.jar.sha1 b/server/licenses/log4j-core-2.17.0.jar.sha1 new file mode 100644 index 0000000000000..a83a26a8ae8d6 --- /dev/null +++ b/server/licenses/log4j-core-2.17.0.jar.sha1 @@ -0,0 +1 @@ +587127e2f8c5daaef9ba3806848675a1652959d3 \ No newline at end of file diff --git a/server/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java b/server/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java index 0785e4d491f76..dab217901891a 100644 --- a/server/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java +++ b/server/src/main/java/org/elasticsearch/bootstrap/ESPolicy.java @@ -31,8 +31,10 @@ import java.security.Permissions; import java.security.Policy; import java.security.ProtectionDomain; +import java.util.Arrays; import java.util.Collections; import java.util.Map; +import java.util.Optional; import java.util.function.Predicate; /** custom policy for union of static and dynamic permissions */ @@ -61,6 +63,26 @@ final class ESPolicy extends Policy { this.plugins = plugins; } + private static final Predicate JDK_BOOT = f -> f.getClassName().startsWith("java.lang.") + || f.getClassName().startsWith("java.security."); + private static final Predicate ES_BOOTSTRAP = f -> f.getClassName().startsWith("org.elasticsearch.bootstrap"); + private static final Predicate IS_LOG4J = f -> "org.apache.logging.log4j.util.LoaderUtil".equals(f.getClassName()) + && "getClassLoaders".equals(f.getMethodName()); + + /** + * Returns true if the top of the call stack has: + * 1) Only frames belonging from the JDK's boot loader or org.elasticsearch.bootstrap, followed directly by + * 2) org.apache.logging.log4j.util.LoaderUtil.getClassLoaders + */ + private static boolean isLoaderUtilGetClassLoaders() { + Optional frame = Arrays.stream(Thread.currentThread().getStackTrace()) + .filter(JDK_BOOT.or(ES_BOOTSTRAP).negate()) + .limit(1) + .findFirst() + .filter(IS_LOG4J); + return frame.isPresent(); + } + @Override @SuppressForbidden(reason = "fast equals check is desired") public boolean implies(ProtectionDomain domain, Permission permission) { CodeSource codeSource = domain.getCodeSource(); @@ -98,6 +120,10 @@ public boolean implies(ProtectionDomain domain, Permission permission) { } } + if (permission instanceof RuntimePermission && "getClassLoader".equals(permission.getName()) && isLoaderUtilGetClassLoaders()) { + return true; + } + // otherwise defer to template + dynamic file permissions return template.implies(domain, permission) || dynamic.implies(permission) || system.implies(domain, permission); } diff --git a/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java index 0c580d0266e88..9c69d796822b4 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java @@ -161,9 +161,13 @@ import static java.util.Collections.emptyMap; import static java.util.Collections.singletonList; import static org.elasticsearch.common.util.CollectionUtils.arrayAsArrayList; +import static org.hamcrest.Matchers.anyOf; +import static org.hamcrest.Matchers.contains; import static org.hamcrest.Matchers.empty; +import static org.hamcrest.Matchers.emptyCollectionOf; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.hasItem; +import static org.hamcrest.Matchers.startsWith; /** * Base testcase for randomized unit testing with Elasticsearch @@ -501,6 +505,18 @@ public void log(StatusData data) { }); } + // Tolerate the absence or otherwise denial of these specific lookup classes. + // At some future time, we should require the JDNI warning. + private static final List LOG_4J_MSG_PREFIXES = getLog4jMsgPrefixes(); + private static List getLog4jMsgPrefixes() { + ArrayList list = new ArrayList<>(); + list.add("JNDI lookup class is not available because this JRE does not support JNDI. " + + "JNDI string lookups will not be available, continuing configuration."); + list.add("JMX runtime input lookup class is not available because this JRE does not support JMX. " + + "JMX lookups will not be available, continuing configuration. "); + return Collections.unmodifiableList(list); + } + // separate method so that this can be checked again after suite scoped cluster is shut down protected static void checkStaticState(boolean afterClass) throws Exception { if (afterClass) { @@ -516,7 +532,12 @@ protected static void checkStaticState(boolean afterClass) throws Exception { // StatusData instances to Strings as otherwise their toString output is useless assertThat( statusData.stream().map(status -> status.getMessage().getFormattedMessage()).collect(Collectors.toList()), - empty()); + anyOf( + emptyCollectionOf(String.class), + contains(startsWith(LOG_4J_MSG_PREFIXES.get(0)), startsWith(LOG_4J_MSG_PREFIXES.get(1))), + contains(startsWith(LOG_4J_MSG_PREFIXES.get(1))) + ) + ); } finally { // we clear the list so that status data from other tests do not interfere with tests within the same JVM statusData.clear(); diff --git a/x-pack/plugin/security/licenses/log4j-slf4j-impl-2.11.1.jar.sha1 b/x-pack/plugin/security/licenses/log4j-slf4j-impl-2.11.1.jar.sha1 deleted file mode 100644 index 6178556b31848..0000000000000 --- a/x-pack/plugin/security/licenses/log4j-slf4j-impl-2.11.1.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -4b41b53a3a2d299ce381a69d165381ca19f62912 \ No newline at end of file diff --git a/x-pack/plugin/security/licenses/log4j-slf4j-impl-2.17.0.jar.sha1 b/x-pack/plugin/security/licenses/log4j-slf4j-impl-2.17.0.jar.sha1 new file mode 100644 index 0000000000000..fad46c4bc20fb --- /dev/null +++ b/x-pack/plugin/security/licenses/log4j-slf4j-impl-2.17.0.jar.sha1 @@ -0,0 +1 @@ +1ec25ce0254749c94549ea9c3cea34bd0488c9c6 \ No newline at end of file diff --git a/x-pack/plugin/sql/sql-action/build.gradle b/x-pack/plugin/sql/sql-action/build.gradle index 86a028186f441..fe75f8b330996 100644 --- a/x-pack/plugin/sql/sql-action/build.gradle +++ b/x-pack/plugin/sql/sql-action/build.gradle @@ -115,13 +115,11 @@ thirdPartyAudit.ignoreMissingClasses ( 'org.apache.commons.compress.utils.IOUtils', 'org.apache.commons.csv.CSVFormat', 'org.apache.commons.csv.QuoteMode', - 'org.apache.kafka.clients.producer.Callback', 'org.apache.kafka.clients.producer.KafkaProducer', 'org.apache.kafka.clients.producer.Producer', 'org.apache.kafka.clients.producer.ProducerRecord', 'org.apache.kafka.clients.producer.RecordMetadata', 'org.codehaus.stax2.XMLStreamWriter2', - 'org.jctools.queues.MessagePassingQueue$Consumer', 'org.jctools.queues.MpscArrayQueue', 'org.osgi.framework.AdaptPermission', 'org.osgi.framework.AdminPermission', diff --git a/x-pack/plugin/sql/sql-action/licenses/log4j-api-2.11.1.jar.sha1 b/x-pack/plugin/sql/sql-action/licenses/log4j-api-2.11.1.jar.sha1 deleted file mode 100644 index 4b1bfffac179f..0000000000000 --- a/x-pack/plugin/sql/sql-action/licenses/log4j-api-2.11.1.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -268f0fe4df3eefe052b57c87ec48517d64fb2a10 \ No newline at end of file diff --git a/x-pack/plugin/sql/sql-action/licenses/log4j-api-2.17.0.jar.sha1 b/x-pack/plugin/sql/sql-action/licenses/log4j-api-2.17.0.jar.sha1 new file mode 100644 index 0000000000000..400d6bd606f5b --- /dev/null +++ b/x-pack/plugin/sql/sql-action/licenses/log4j-api-2.17.0.jar.sha1 @@ -0,0 +1 @@ +bbd791e9c8c9421e45337c4fe0a10851c086e36c \ No newline at end of file diff --git a/x-pack/plugin/sql/sql-action/licenses/log4j-core-2.11.1.jar.sha1 b/x-pack/plugin/sql/sql-action/licenses/log4j-core-2.11.1.jar.sha1 deleted file mode 100644 index 2fb8589380a03..0000000000000 --- a/x-pack/plugin/sql/sql-action/licenses/log4j-core-2.11.1.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -592a48674c926b01a9a747c7831bcd82a9e6d6e4 \ No newline at end of file diff --git a/x-pack/plugin/sql/sql-action/licenses/log4j-core-2.17.0.jar.sha1 b/x-pack/plugin/sql/sql-action/licenses/log4j-core-2.17.0.jar.sha1 new file mode 100644 index 0000000000000..933b9701a5ec9 --- /dev/null +++ b/x-pack/plugin/sql/sql-action/licenses/log4j-core-2.17.0.jar.sha1 @@ -0,0 +1 @@ +fe6e7a32c1228884b9691a744f953a55d0dd8ead \ No newline at end of file