log4j: Support for sbt > 1.5.8

[hertg]

This is closely related to #208, opened as separate issue due to the difference in reason and urgency.

sbt is affected by the recent log4j vulnerabilities (sbt/sbt#6742), they pushed fixes for that in 1.5.6, 1.5.7, and the latest patches in 1.5.8. The incompatibility of sbt-play-ebean with the latest sbt versions is what is holding some of our projects back from being patched.

Now I think that the attack vector isn't extremely large, given that Play Framework itself is not affected, meaning it "only" potentially affects development machines and CI servers. I am currently not aware of any potential attack scenario, but with the recent events considered, the issue shouldn't be underestimated. If an effort could be made to patch that up soon, this would give us and other users the possibility to mitigate the issue in active projects.

Please comment if you have further information on the current state of the sbt 1.5.x compatibility or if you can provide advise on how to mitigate the issue in the current release. Thank you.

[stephennilsen]

Experiencing the same issue. I can't get my play-ebean project to compile with any sbt version higher than 1.3.13.

[stephennilsen]

Hey @hertg, in case this helps you, something I did to fix my prod app is remove sbt from my container after using it to build my distro. After doing this, Aqua Security is no longer detecting the log4j vulnerability in my container. Here's my Dockerfile:

FROM eclipse-temurin:11

# ********** REMEMBER TO ALSO UPDATE sbt.version IN build.properties **********
ARG SBT_VERSION=1.3.13
ARG APP_NAME=myserver

# Copy build context to the container
COPY . ./$APP_NAME
WORKDIR $APP_NAME

# Install software and create distributable package
RUN echo "INSTALLING SBT" && \
    apt-get -y install gnupg && \
    echo "deb https://repo.scala-sbt.org/scalasbt/debian all main" | tee /etc/apt/sources.list.d/sbt.list && \
    echo "deb https://repo.scala-sbt.org/scalasbt/debian /" | tee /etc/apt/sources.list.d/sbt_old.list && \
    curl -sL "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x2EE0EA64E40A89B84B2DF73499E82A75642AC823" | apt-key add && \
    apt-get update && \
    apt-get -y install sbt=$SBT_VERSION && \
    sbt version && \

    echo "MAKING DISTRIBUTABLE" && \
    sbt clean dist && \
    unzip -o target/universal/$APP_NAME-*.zip && \
    chmod +x $APP_NAME-*/bin/$APP_NAME && \

    echo "CLEANING UP SBT AND LOG4J" && \
    apt-get -y remove gnupg sbt && \
    rm -R /root/

#Define that the startup script should run upon docker run command
#ARG variables are not compatible with ENTRYPOINT and CMD, so they need to be converted to ENV variables
ENV ENV_APP_NAME=$APP_NAME
ENTRYPOINT exec $ENV_APP_NAME-*/bin/$ENV_APP_NAME

Hope this helps you!

[mkurz]

play-ebean 6.2.0-RC4 released, please have a look at the release notes how to upgrade: https://github.com/playframework/play-ebean/releases/tag/6.2.0-RC4. Please test and let us know if it works for you, thanks!

[mkurz]

Closing since it looks like this is working now.