JB, As stated earlier, upgrading Karaf is not an option in the short term. Paul Spencer
> On Dec 23, 2021, at 11:21 AM, JB Onofré <j...@nanthrax.net> wrote: > > Upgrade to Karaf 4.2.13. > >> Le 23 déc. 2021 à 17:02, Paul Spencer <paulspen...@mindspring.com> a écrit : >> >> In light of the updated mitigation for the Log4JShell published by >> Log4J[1], specifically "zip -q -d log4j-core-*.jar >> org/apache/logging/log4j/core/lookup/JndiLookup.class", the insufficient >> mitigation measure of setting system property log4j2.formatMsgNoLookups, and >> the presents of JndiLookup.class in the pax-logging-log4j2 jar. What is the >> suggested mitigation for Karaf 4.2.x and Karaf 4.3.x when upgrading Karaf is >> not an option in the short term? >> >> *** >> * Example from Karaf 4.2.9 >> **** >> [user@localhost karaf]$ zip -sf >> ./system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.6/pax-logging-log4j2-1.11.6.jar >> | grep JndiLookup >> org/apache/logging/log4j/core/lookup/JndiLookup.class >> [user@localhost karaf]$ >> >> Paul Spencer >> >> [1] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 >> >> >
