You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by bt...@apache.org on 2023/02/25 14:12:09 UTC

[james-project] branch master updated: JAMES-3881 Unregister LOG4J MBeans (#1458)

This is an automated email from the ASF dual-hosted git repository.

btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git


The following commit(s) were added to refs/heads/master by this push:
     new c84de34fad JAMES-3881 Unregister LOG4J MBeans (#1458)
c84de34fad is described below

commit c84de34fad6c6c1de98cbd1a853064c727ab06f8
Author: Benoit TELLIER <bt...@linagora.com>
AuthorDate: Sat Feb 25 21:12:03 2023 +0700

    JAMES-3881 Unregister LOG4J MBeans (#1458)
    
    As they might allow arbitrary file read/writes
---
 server/apps/spring-app/pom.xml                       |  2 ++
 .../apache/james/app/spring/JamesAppSpringMain.java  | 20 ++++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/server/apps/spring-app/pom.xml b/server/apps/spring-app/pom.xml
index 182ef0f567..2c6272124f 100644
--- a/server/apps/spring-app/pom.xml
+++ b/server/apps/spring-app/pom.xml
@@ -49,10 +49,12 @@
         <javamail.system-property9>-Dmail.mime.decodeparameters=true</javamail.system-property9>
         <javamail.system-property10>-Dmail.mime.address.strict=false</javamail.system-property10>
         <javamail.system-property11>-Djmx.remote.x.mlet.allow.getMBeansFromURL=false</javamail.system-property11>
+        <javamail.system-property12>-Djames.jmx.unregister.log4j.mbeans=true</javamail.system-property12>
         <javamail.system-properties>${javamail.system-property1} ${javamail.system-property2}
             ${javamail.system-property3} ${javamail.system-property4} ${javamail.system-property5}
             ${javamail.system-property6} ${javamail.system-property7} ${javamail.system-property8}
             ${javamail.system-property9} ${javamail.system-property10} ${javamail.system-property11}
+            ${javamail.system-property12}
         </javamail.system-properties>
 
         <!-- JMX system properties -->
diff --git a/server/apps/spring-app/src/main/java/org/apache/james/app/spring/JamesAppSpringMain.java b/server/apps/spring-app/src/main/java/org/apache/james/app/spring/JamesAppSpringMain.java
index f8bf9f2659..e88001f8ac 100644
--- a/server/apps/spring-app/src/main/java/org/apache/james/app/spring/JamesAppSpringMain.java
+++ b/server/apps/spring-app/src/main/java/org/apache/james/app/spring/JamesAppSpringMain.java
@@ -18,23 +18,33 @@
  ****************************************************************/
 package org.apache.james.app.spring;
 
+import java.lang.management.ManagementFactory;
 import java.util.Calendar;
 
+import javax.management.MBeanServer;
+import javax.management.ObjectName;
+import javax.management.QueryExp;
+
 import org.apache.commons.daemon.Daemon;
 import org.apache.commons.daemon.DaemonContext;
 import org.apache.james.container.spring.context.JamesServerApplicationContext;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.github.fge.lambdas.Throwing;
+
 /**
  * Bootstraps James using a Spring container.
  */
 public class JamesAppSpringMain implements Daemon {
+    private static final ObjectName ALL_OBJECT_NAME = null;
+    private static final QueryExp ALL_QUERY_EXP = null;
 
     private static final Logger LOGGER = LoggerFactory.getLogger(JamesAppSpringMain.class.getName());
     private JamesServerApplicationContext context;
 
     public static void main(String[] args) throws Exception {
+        unregisterLog4JMBeans();
 
         if (System.getProperty("com.sun.management.jmxremote.password.file") == null) {
             LOGGER.warn("No authentication setted up for the JMX component. This expose you to local privilege escalation attacks risk. " +
@@ -52,6 +62,16 @@ public class JamesAppSpringMain implements Daemon {
 
     }
 
+    private static void unregisterLog4JMBeans() {
+        if (System.getProperty("james.jmx.unregister.log4j.mbeans", "true").equals("true")) {
+            MBeanServer platformMBeanServer = ManagementFactory.getPlatformMBeanServer();
+            platformMBeanServer.queryMBeans(ALL_OBJECT_NAME, ALL_QUERY_EXP)
+                .stream()
+                .filter(objectInstance -> objectInstance.getClassName().startsWith("org.apache.logging.log4j"))
+                .forEach(Throwing.consumer(objectInstance -> platformMBeanServer.unregisterMBean(objectInstance.getObjectName())));
+        }
+    }
+
     @Override
     public void destroy() {
     }


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org