Mitigate log4j2 issues identified in CVE-2021-44228 Remove JndiLookup.class from log4j2 JAR as suggested in https://logging.apache.org/log4j/2.x/security.html Change-Id: I88b3bae462ddb7182cc71e17dfa2036d5d9dae62

commit: a86c946c2a96fcfccdb74819a610da054401c69d [log] [tgz]
author: Daniele Moro <daniele@opennetworking.org> Thu Dec 16 18:29:05 2021 +0100
committer: Andrea Campanella <andrea@opennetworking.org> Wed Dec 29 09:13:19 2021 +0000
tree: 2caf5b6404f9b4dbf99cca6017cbc4cc9f221c0f
parent: 68b4048eabd8dfa2718924d22479e23c14163199 [diff]
diff --git a/tools/package/onos-prep-karaf b/tools/package/onos-prep-karaf
index c707206..45029ea 100755
--- a/tools/package/onos-prep-karaf
+++ b/tools/package/onos-prep-karaf

@@ -38,6 +38,10 @@
 echo "felix.fileinstall.filter='\\*.jar'" >> \
     $KARAF_DIR/etc/org.apache.felix.fileinstall-deploy.cfg
 
+# Patch log4j to mitigate CVE-2021-44228
+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
+zip -q -d  $KARAF_DIR/system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.6/pax-logging-log4j2-1.11.6.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
+
 # Patch-in proper Karaf version into the startup script
 perl -pi.bk -e 's/apache-karaf-\$KARAF_VERSION/$ENV{KARAF_DIR}/g' $SANDBOX/bin/onos-service
commit	a86c946c2a96fcfccdb74819a610da054401c69d	[log] [tgz]
author	Daniele Moro <daniele@opennetworking.org>	Thu Dec 16 18:29:05 2021 +0100
committer	Andrea Campanella <andrea@opennetworking.org>	Wed Dec 29 09:13:19 2021 +0000
tree	2caf5b6404f9b4dbf99cca6017cbc4cc9f221c0f
parent	68b4048eabd8dfa2718924d22479e23c14163199 [diff]