Correct - by hotfix I mean updating the log4j version without upgrading to karaf 4.3.4. Restarting Karaf is not an issue. Thanks for the hint regarding bundle:update. I prefer removing the vulnerable log4j from the classpath (which this procedure achieves)
Am Mo., 13. Dez. 2021 um 14:02 Uhr schrieb Jean-Baptiste Onofré < [email protected]>: > By hotfix, you mean patching while running ? > > Maybe you can do a bundle:update instead of bundle:install, but > basically correct. > > My point is that you don't have to upgrade if you use the workaround > (that can be added at runtime, restart pax-logging bundle). > > Regards > JB > > On 13/12/2021 14:00, Raggy Fab wrote: > > Hi JB, > > > > OK - Let me summarize. > > > > if I want to do a hotfix, I need to swap pax logging (run level fixed my > > previous problem): > > bundle:install -l 8 mvn:org.ops4j.pax.logging/pax-logging-log4j2/2.0.11 > > bundle:install -l 8 mvn:org.ops4j.pax.logging/pax-logging-api/2.0.11 > > bundle:uninstall 6 > > bundle:uninstall 7 > > > > Then replace old pax-logging-api and pax-logging-log4j2 entries in > > startup.properties: > > mvn\:org.ops4j.pax.logging/pax-logging-log4j2/2.0.11 = 8 > > mvn\:org.ops4j.pax.logging/pax-logging-api/2.0.11 = 8 > > > > Correct? > > This should be a fairly safe upgrade, even for older Karaf versions, do > > you agree? > > > > Kind Regards, > > Raggy > > > > Am Mo., 13. Dez. 2021 um 13:44 Uhr schrieb Jean-Baptiste Onofré > > <[email protected] <mailto:[email protected]>>: > > > > Hi Raggy, > > > > without upgrading, you can use a workaround. > > > > log4j2.formatMsgNoLookups=true in etc/system.properties should do > > the trick. > > > > If you want to upgrade, you have to change in etc/startup.properties > > (and populate system repo). > > > > Regards > > JB > > > > On 13/12/2021 13:42, Raggy Fab wrote: > > > Hello, > > > > > > I am aware that the new karaf version 4.3.4 will fix the Log4j > > > Vulnerability (CVE-2021-44228). > > > > > > However, I can't upgrade karaf in my project. Is there a hotfix > > option? > > > (Ideally only touching log4j) > > > > > > I tried to swap out Pax Logging: > > > bundle:install mvn:org.ops4j.pax.logging/pax-logging-log4j2/2.0.11 > > > bundle:install mvn:org.ops4j.pax.logging/pax-logging-api/2.0.11 > > > bundle:uninstall 6 > > > bundle:uninstall 7 > > > > > > Log files are written, but I get class path issues like (Bundles > no > > > longer starting up): > > > ClassNotFoundException: org.apache.commons.logging.LogFactory > > > > > > kind regards, > > > Raggy > > >
