nixos/jitsi-meet: Mitigate CVE-2021-44228

[yayayayaka]

Motivation for this change

This commit mitigates a remote code execution vulnerability in the log4j
library.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.05 Release Notes (or backporting 21.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[yu-re-ka]

More information on the vulnerability: https://www.lunasec.io/docs/blog/log4j-zero-day/

[yu-re-ka]

Strictly the commit message(s) should be nixos/jitsi-videobridge: ..., nixos/jicofo: ... and so on, because this changes the module not the package

[yayayayaka]

Alright.

[yu-re-ka]

I'm not sure if jibri and jicofo actually use Log4j, but better safe than sorry

[KamilaBorowska]

Actually, good point, I don't think jibri and jicofo actually use Log4j, checked the JARs involved, no trace of Log4j.

[KamilaBorowska]

jitsi-videobridge2 uses Log4j, Jibri and Jicofo don't. I think it would make sense to restrict the change to jitsi-videobridge2 only.

[KamilaBorowska]

I think commits other than "nixos/jitsi-videobridge: Mitigate CVE-2021-44228" can be removed, as those programs don't use Log4J, and as such are unaffected by the vulnerability.

[yayayayaka]

Thanks @xfix for your review. I have removed the other commits.

[github-actions]

Successfully created backport PR #150027 for release-21.11.

[dotlambda]

Shouldn't this also be backported to 21.05?

[ius]

Shouldn't this also be backported to 21.05?

According to upstream:

Jitsi-videobridge instances older than 2.1-504 (May 2021) with callstats enabled should be updated to 2.1-504 or newer.

Which doesn't affect any of NixOS' supported channels. Accordingly this mitigation doesn't seem necessary after all.

(Additional info)