From 5b38441b16b1ebb16a27c107a4c3865776e20c53 Mon Sep 17 00:00:00 2001
From: Mark Vieira <portugee@gmail.com>
Date: Fri, 10 Dec 2021 15:53:32 -0800
Subject: [PATCH] Patch log4j JAR to remove JndiLookup class (#81631)

---
 distribution/build.gradle |  4 ++++
 libs/build.gradle         |  2 +-
 libs/log4j/build.gradle   | 28 ++++++++++++++++++++++++++++
 3 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 libs/log4j/build.gradle

diff --git a/distribution/build.gradle b/distribution/build.gradle
index dbd20947ffa47..fa17477116ff6 100644
--- a/distribution/build.gradle
+++ b/distribution/build.gradle
@@ -276,6 +276,10 @@ configure(subprojects.findAll { ['archives', 'packages'].contains(it.name) }) {
         }
       }
     }
+    all {
+      resolutionStrategy.dependencySubstitution {
+        substitute module("org.apache.logging.log4j:log4j-core") using project(":libs:elasticsearch-log4j") because "patched to remove JndiLookup clas"}
+    }
   }
 
   dependencies {
diff --git a/libs/build.gradle b/libs/build.gradle
index 0614199b97b97..952985f5aa539 100644
--- a/libs/build.gradle
+++ b/libs/build.gradle
@@ -6,7 +6,7 @@
  * Side Public License, v 1.
  */
 
-subprojects {
+configure(subprojects - project('elasticsearch-log4j')) {
   /*
    * All subprojects are java projects using Elasticsearch's standard build
    * tools.
diff --git a/libs/log4j/build.gradle b/libs/log4j/build.gradle
new file mode 100644
index 0000000000000..917a9f454a16f
--- /dev/null
+++ b/libs/log4j/build.gradle
@@ -0,0 +1,28 @@
+plugins {
+  id 'base'
+  id 'elasticsearch.repositories'
+}
+
+configurations {
+  log4j {
+    transitive = false
+  }
+}
+
+dependencies {
+  log4j "org.apache.logging.log4j:log4j-core:${versions.log4j}"
+}
+
+// Strip out JndiLookup class to avoid any possibility of exploitation of CVE-2021-44228
+// See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
+// See: https://issues.apache.org/jira/browse/LOG4J2-3201
+def patchLog4j = tasks.register('patchLog4j', Zip) {
+  archiveExtension = 'jar'
+  from({ zipTree(configurations.log4j.singleFile) }) {
+    exclude '**/JndiLookup.class'
+  }
+}
+
+artifacts {
+  'default'(patchLog4j)
+}