Re: Updated mitigation for Log4JShell in Karaf 4.2.x and 4.3.x since setting log4j2.formatMsgNoLookups is a insufficient mitigation measure

Thu, 23 Dec 2021 08:57:32 -0800 

Hi Paul,

my two cents as a karaf user:

a) You could switch to logback (this breaks some karaf features like
log:xxx commands)

karaf@root()> shell:exec curl -o etc/logback.xml
https://raw.githubusercontent.com/pedestal/samples/master/auto-reload-server/config/logback.xml
karaf@root()> shell:exec echo
"org.ops4j.pax.logging.StaticLogbackContext=true" >>
etc/system.properties
karaf@root()> shell:exec echo
"org.ops4j.pax.logging.StaticLogbackFile=etc/logback.xml" >>
etc/system.properties
karaf@root()> feature:install framework-logback
karaf@root()> feature:uninstall framework

# Restart Karaf

b) You could patch the PAX Logging Jars (both in system folder as well as
in cache) using the approach you provided:

$ cd karaf-directory
$ zip -q -d $(find . | grep pax-logging-log4j2 | grep jar)
org/apache/logging/log4j/core/lookup/JndiLookup.class
$ zip -q -d $(grep -rlnw . -e "pax-logging-log4j2" | grep
"data/cache/bundle" | grep jar)
org/apache/logging/log4j/core/lookup/JndiLookup.class


Cheers
Aymen

Aymen Furter
http://www.aymenfurter.ch


Am Do., 23. Dez. 2021 um 17:23 Uhr schrieb Paul Spencer <
paulspen...@mindspring.com>:

> JB,
> As stated earlier, upgrading Karaf is not an option in the short term.
>
> Paul Spencer
>
>
> > On Dec 23, 2021, at 11:21 AM, JB Onofré <j...@nanthrax.net> wrote:
> >
> > Upgrade to Karaf 4.2.13.
> >
> >> Le 23 déc. 2021 à 17:02, Paul Spencer <paulspen...@mindspring.com> a
> écrit :
> >>
> >> In light of the updated mitigation for the Log4JShell published by
> Log4J[1], specifically "zip -q -d log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class", the insufficient
> mitigation measure of setting system property log4j2.formatMsgNoLookups,
> and the presents of JndiLookup.class in the pax-logging-log4j2 jar. What is
> the suggested mitigation for Karaf 4.2.x and Karaf 4.3.x when upgrading
> Karaf is not an option in the short term?
> >>
> >> ***
> >> * Example from Karaf 4.2.9
> >> ****
> >> [user@localhost karaf]$ zip -sf
> ./system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.6/pax-logging-log4j2-1.11.6.jar
> | grep JndiLookup
> >> org/apache/logging/log4j/core/lookup/JndiLookup.class
> >> [user@localhost karaf]$
> >>
> >> Paul Spencer
> >>
> >> [1] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228
> >>
> >>
> >
>
>

Reply via email to