[6.8] Patch log4j JAR to remove JndiLookup class (#81632)

Author: mark-vieira

libs/build.gradle

@@ -17,12 +17,12 @@
  * under the License.
  */
 
-subprojects {
-    /*
-     * All subprojects are java projects using Elasticsearch's standard build
-     * tools.
-     */
-    apply plugin: 'elasticsearch.build'
+configure(subprojects - project('log4j')) {
+  /*
+   * All subprojects are java projects using Elasticsearch's standard build
+   * tools.
+   */
+  apply plugin: 'elasticsearch.build'
 
     /*
      * Subprojects may depend on the "core" lib but may not depend on any

libs/log4j/build.gradle

@@ -0,0 +1,34 @@
+import org.elasticsearch.gradle.VersionProperties
+import org.elasticsearch.gradle.BuildPlugin
+
+plugins {
+  id 'base'
+}
+
+configurations {
+  log4j {
+    transitive = false
+  }
+}
+
+BuildPlugin.configureRepositories(project)
+def log4jVersion = VersionProperties.versions.log4j
+dependencies {
+  log4j "org.apache.logging.log4j:log4j-core:${log4jVersion}"
+}
+
+// Strip out JndiLookup class to avoid any possibility of exploitation of CVE-2021-44228
+// See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
+// See: https://issues.apache.org/jira/browse/LOG4J2-3201
+task patchLog4j(type: Zip) {
+  extension = 'jar'
+  baseName = 'log4j-core'
+  version = log4jVersion
+  from({ zipTree(configurations.log4j.singleFile) }) {
+    exclude '**/JndiLookup.class'
+  }
+}
+
+artifacts {
+  'default'(patchLog4j)
+}

server/build.gradle

@@ -72,6 +72,12 @@ if (!isEclipse) {
   }
 }
 
+configurations.all {
+  resolutionStrategy.dependencySubstitution {
+    substitute module("org.apache.logging.log4j:log4j-core") because "patched to remove JndiLookup class" with project(":libs:log4j")
+  }
+}
+
 dependencies {
 
   compile "org.elasticsearch:elasticsearch-core:${version}"

server/licenses/log4j-core-2.11.1.jar.sha1

@@ -1 +1 @@
-592a48674c926b01a9a747c7831bcd82a9e6d6e4
+fe18be6aecfbf008a8f479397d233dcf089e9643