By hotfix, you mean patching while running ?
Maybe you can do a bundle:update instead of bundle:install, but
basically correct.
My point is that you don't have to upgrade if you use the workaround
(that can be added at runtime, restart pax-logging bundle).
Regards
JB
On 13/12/2021 14:00, Raggy Fab wrote:
Hi JB,
OK - Let me summarize.
if I want to do a hotfix, I need to swap pax logging (run level fixed my
previous problem):
bundle:install -l 8 mvn:org.ops4j.pax.logging/pax-logging-log4j2/2.0.11
bundle:install -l 8 mvn:org.ops4j.pax.logging/pax-logging-api/2.0.11
bundle:uninstall 6
bundle:uninstall 7
Then replace old pax-logging-api and pax-logging-log4j2 entries in
startup.properties:
mvn\:org.ops4j.pax.logging/pax-logging-log4j2/2.0.11 = 8
mvn\:org.ops4j.pax.logging/pax-logging-api/2.0.11 = 8
Correct?
This should be a fairly safe upgrade, even for older Karaf versions, do
you agree?
Kind Regards,
Raggy
Am Mo., 13. Dez. 2021 um 13:44 Uhr schrieb Jean-Baptiste Onofré
<[email protected] <mailto:[email protected]>>:
Hi Raggy,
without upgrading, you can use a workaround.
log4j2.formatMsgNoLookups=true in etc/system.properties should do
the trick.
If you want to upgrade, you have to change in etc/startup.properties
(and populate system repo).
Regards
JB
On 13/12/2021 13:42, Raggy Fab wrote:
> Hello,
>
> I am aware that the new karaf version 4.3.4 will fix the Log4j
> Vulnerability (CVE-2021-44228).
>
> However, I can't upgrade karaf in my project. Is there a hotfix
option?
> (Ideally only touching log4j)
>
> I tried to swap out Pax Logging:
> bundle:install mvn:org.ops4j.pax.logging/pax-logging-log4j2/2.0.11
> bundle:install mvn:org.ops4j.pax.logging/pax-logging-api/2.0.11
> bundle:uninstall 6
> bundle:uninstall 7
>
> Log files are written, but I get class path issues like (Bundles no
> longer starting up):
> ClassNotFoundException: org.apache.commons.logging.LogFactory
>
> kind regards,
> Raggy
