Mapstore log4j fixes update on stable branch (#7666)

Author: offtherailz

docs/developer-guide/mapstore-migration-guide.md

@@ -20,6 +20,74 @@ This is a list of things to check if you want to update from a previous version
 - Optionally check also accessory files like `.eslinrc`, if you want to keep aligned with lint standards.
 - Follow the instructions below, in order, from your version to the one you want to update to.
 
+## Migration from 2021.02.00 to 2021.02.01
+
+This update contains a fix for a minor vulnerability found in `log4j` library.
+For this reason you may need to update the dependencies of your project
+
+!!! note
+    This vulnerability **is not** [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228)
+    but only a couple of smaller ones, that involve `Log4J` ( [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) is for `Log4J2` ).
+    Anyway MapStore is not prone to these vulnerabilities with the default configuration.
+    For more information, see the dedicated [blog post](https://www.geosolutionsgroup.com/blog/geosolutions-lo4shell/)
+
+here the instructions:
+
+### Align `pom.xml` files
+
+Here the changes in `pom.xml` and `web/pom.xml` to update:
+
+- Change `mapstore-backend` into `mapstore-services` and set the version to `1.2.2`
+
+```diff
+<!-- MapStore backend -->
+    <dependency>
+    <groupId>it.geosolutions.mapstore</groupId>
+-      <artifactId>mapstore-backend</artifactId>
+-      <version>1.2.1</version>
++      <artifactId>mapstore-services</artifactId>
++      <version>1.2.2</version>
+    </dependency>
+```
+
+- Set `geostore-webapp` version to `1.7.1`
+
+```diff
+    <dependency>
+    <groupId>it.geosolutions.geostore</groupId>
+    <artifactId>geostore-webapp</artifactId>
+-      <version>1.7.0</version>
++      <version>1.7.1</version>
+    <type>war</type>
+    <scope>runtime</scope>
+    </dependency>
+```
+
+- Set `http_proxy` version to `1.1.1` (should already be there)
+
+```diff
+    <dependency>
+    <!-- ... -->
+    <groupId>proxy</groupId>
+    <artifactId>http_proxy</artifactId>
+-      <version>1.1.0</version>
++      <version>1.1.1</version>
+    <type>war</type>
+    <scope>runtime</scope>
+    </dependency>
+```
+
+- Set `print-lib` version `geosolutions-2.0` to version `geosolutions-2.0.1`
+
+```diff
+    <dependency>
+        <groupId>org.mapfish.print</groupId>
+        <artifactId>print-lib</artifactId>
+-        <version>geosolutions-2.0</version>
++        <version>geosolutions-2.0.1</version>
+    </dependency>
+```
+
 ## Migration from 2021.01.04 to 2021.02.00
 
 ### Theme updates and CSS variables

java/pom.xml

@@ -4,7 +4,7 @@
   <groupId>it.geosolutions.mapstore</groupId>
   <artifactId>mapstore-java</artifactId>
   <packaging>pom</packaging>
-  <version>1.2.1</version>
+  <version>1.2-SNAPSHOT</version>
   <name>MapStore 2</name>
   <url>http://www.geo-solutions.it</url>
 

java/printing/pom.xml

@@ -4,7 +4,7 @@
   <groupId>it.geosolutions.mapstore</groupId>
   <artifactId>mapstore-print</artifactId>
   <packaging>pom</packaging>
-  <version>1.2.1</version>
+  <version>1.2-SNAPSHOT</version>
   <name>MapStore 2 - Printing extension bundle</name>
   <url>http://www.geo-solutions.it</url>
 
@@ -18,7 +18,7 @@
     <dependency>
         <groupId>org.mapfish.print</groupId>
         <artifactId>print-lib</artifactId>
-        <version>geosolutions-2.0</version>
+        <version>geosolutions-2.0.1</version>
     </dependency>
   </dependencies>
 

java/services/pom.xml

@@ -4,7 +4,7 @@
   <groupId>it.geosolutions.mapstore</groupId>
   <artifactId>mapstore-services</artifactId>
   <packaging>jar</packaging>
-  <version>1.2.1</version>
+  <version>1.2-SNAPSHOT</version>
   <name>MapStore 2 - Backend Services</name>
   <url>http://www.geo-solutions.it</url>
 
@@ -26,7 +26,19 @@
         <groupId>eu.medsea.mimeutil</groupId>
         <artifactId>mime-util</artifactId>
         <version>2.1.3</version>
+        <exclusions>
+            <exclusion>
+                <groupId>log4j</groupId>
+                <artifactId>log4j</artifactId>
+            </exclusion>
+        </exclusions>
     </dependency>
+    <dependency>
+        <groupId>log4j</groupId>
+        <artifactId>log4j</artifactId>
+        <version>1.2.17.norce</version>
+    </dependency>
+    <!-- Replace log4j coming from mimeutil with the secure one-->
 
     <!-- Spring -->
     <!-- https://mvnrepository.com/artifact/org.springframework/spring-webmvc -->

java/web/pom.xml

@@ -4,7 +4,7 @@
   <groupId>it.geosolutions.mapstore</groupId>
   <artifactId>mapstore-webapp</artifactId>
   <packaging>war</packaging>
-  <version>1.2.1</version>
+  <version>1.2-SNAPSHOT</version>
   <name>MapStore 2 - WAR</name>
   <url>http://www.geo-solutions.it</url>
 
@@ -19,7 +19,7 @@
     <dependency>
         <groupId>it.geosolutions.mapstore</groupId>
         <artifactId>mapstore-services</artifactId>
-        <version>1.2.1</version>
+        <version>1.2-SNAPSHOT</version>
     </dependency>
 
     <!-- ================================================================ -->
@@ -28,14 +28,14 @@
     <dependency>
       <groupId>it.geosolutions.geostore</groupId>
       <artifactId>geostore-webapp</artifactId>
-      <version>1.7.0</version>
+      <version>1.7.1</version>
       <type>war</type>
       <scope>runtime</scope>
     </dependency>
     <dependency>
       <groupId>proxy</groupId>
       <artifactId>http_proxy</artifactId>
-      <version>1.1.0</version>
+      <version>1.1.1</version>
       <type>war</type>
       <scope>runtime</scope>
     </dependency>

pom.xml

@@ -4,7 +4,7 @@
   <groupId>it.geosolutions.mapstore</groupId>
   <artifactId>mapstore-root</artifactId>
   <packaging>pom</packaging>
-  <version>1.2.1</version>
+  <version>1.2-SNAPSHOT</version>
   <name>MapStore Root</name>
 
   <properties>

product/pom.xml

@@ -4,7 +4,7 @@
   <groupId>it.geosolutions.mapstore</groupId>
   <artifactId>mapstore-product</artifactId>
   <packaging>war</packaging>
-  <version>1.2.1</version>
+  <version>1.2-SNAPSHOT</version>
   <name>MapStore Product Web Application</name>
 
   <properties>
@@ -17,7 +17,7 @@
     <dependency>
       <groupId>it.geosolutions.mapstore</groupId>
       <artifactId>mapstore-webapp</artifactId>
-      <version>1.2.1</version>
+      <version>1.2-SNAPSHOT</version>
       <type>war</type>
       <scope>runtime</scope>
     </dependency>
@@ -409,7 +409,7 @@
         <dependency>
             <groupId>org.mapfish.print</groupId>
             <artifactId>print-lib</artifactId>
-            <version>geosolutions-2.0</version>
+            <version>geosolutions-2.0.1</version>
             <exclusions>
                 <exclusion>
                     <groupId>commons-codec</groupId>

project/custom/templates/web/pom.xml

@@ -21,22 +21,22 @@
     <dependency>
       <groupId>it.geosolutions.mapstore</groupId>
       <artifactId>mapstore-services</artifactId>
-      <version>1.2.1</version>
+      <version>1.2-SNAPSHOT</version>
     </dependency>
     <!-- ================================================================ -->
     <!-- GeoStore modules -->
     <!-- ================================================================ -->
     <dependency>
       <groupId>it.geosolutions.geostore</groupId>
       <artifactId>geostore-webapp</artifactId>
-      <version>1.7.0</version>
+      <version>1.7.1</version>
       <type>war</type>
       <scope>runtime</scope>
     </dependency>
     <dependency>
       <groupId>proxy</groupId>
       <artifactId>http_proxy</artifactId>
-      <version>1.1.0</version>
+      <version>1.1.1</version>
       <type>war</type>
       <scope>runtime</scope>
     </dependency>

project/standard/templates/web/pom.xml

@@ -21,22 +21,22 @@
     <dependency>
       <groupId>it.geosolutions.mapstore</groupId>
       <artifactId>mapstore-services</artifactId>
-      <version>1.2.1</version>
+      <version>1.2-SNAPSHOT</version>
     </dependency>
     <!-- ================================================================ -->
     <!-- GeoStore modules -->
     <!-- ================================================================ -->
     <dependency>
       <groupId>it.geosolutions.geostore</groupId>
       <artifactId>geostore-webapp</artifactId>
-      <version>1.7.0</version>
+      <version>1.7.1</version>
       <type>war</type>
       <scope>runtime</scope>
     </dependency>
     <dependency>
       <groupId>proxy</groupId>
       <artifactId>http_proxy</artifactId>
-      <version>1.1.0</version>
+      <version>1.1.1</version>
       <type>war</type>
       <scope>runtime</scope>
     </dependency>
@@ -536,7 +536,7 @@
                 <dependency>
                     <groupId>org.mapfish.print</groupId>
                     <artifactId>print-lib</artifactId>
-                    <version>geosolutions-2.0</version>
+                    <version>geosolutions-2.0.1</version>
                 </dependency>
             </dependencies>
             </profile>

release/bin-war/pom.xml

@@ -18,7 +18,7 @@
         <dependency>
             <groupId>it.geosolutions.mapstore</groupId>
             <artifactId>mapstore-product</artifactId>
-            <version>1.2.1</version>
+            <version>1.2-SNAPSHOT</version>
             <type>war</type>
             <scope>runtime</scope>
         </dependency>