Re: Updated mitigation for Log4JShell in Karaf 4.2.x and 4.3.x since setting log4j2.formatMsgNoLookups is a insufficient mitigation measure

JB Onofré Thu, 23 Dec 2021 08:21:32 -0800

Upgrade to Karaf 4.2.13. 

> Le 23 déc. 2021 à 17:02, Paul Spencer <[email protected]> a écrit :
> 
> In light of the updated mitigation for the Log4JShell published by Log4J[1], 
> specifically "zip -q -d log4j-core-*.jar 
> org/apache/logging/log4j/core/lookup/JndiLookup.class", the insufficient 
> mitigation measure of setting system property log4j2.formatMsgNoLookups, and 
> the presents of JndiLookup.class in the pax-logging-log4j2 jar. What is the 
> suggested mitigation for Karaf 4.2.x and Karaf 4.3.x when upgrading Karaf is 
> not an option in the short term?
> 
> ***
> * Example from Karaf 4.2.9
> ****
> [user@localhost karaf]$ zip -sf 
> ./system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.6/pax-logging-log4j2-1.11.6.jar
>  | grep JndiLookup
>  org/apache/logging/log4j/core/lookup/JndiLookup.class
> [user@localhost karaf]$ 
> 
> Paul Spencer
> 
> [1] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228
> 
>

Re: Updated mitigation for Log4JShell in Karaf 4.2.x and 4.3.x since setting log4j2.formatMsgNoLookups is a insufficient mitigation measure

Reply via email to