In light of the updated mitigation for the Log4JShell published by Log4J[1], specifically "zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class", the insufficient mitigation measure of setting system property log4j2.formatMsgNoLookups, and the presents of JndiLookup.class in the pax-logging-log4j2 jar. What is the suggested mitigation for Karaf 4.2.x and Karaf 4.3.x when upgrading Karaf is not an option in the short term?
*** * Example from Karaf 4.2.9 **** [user@localhost karaf]$ zip -sf ./system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.6/pax-logging-log4j2-1.11.6.jar | grep JndiLookup org/apache/logging/log4j/core/lookup/JndiLookup.class [user@localhost karaf]$ Paul Spencer [1] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228
