Hi Paul, my two cents as a karaf user:
a) You could switch to logback (this breaks some karaf features like log:xxx commands) karaf@root()> shell:exec curl -o etc/logback.xml https://raw.githubusercontent.com/pedestal/samples/master/auto-reload-server/config/logback.xml karaf@root()> shell:exec echo "org.ops4j.pax.logging.StaticLogbackContext=true" >> etc/system.properties karaf@root()> shell:exec echo "org.ops4j.pax.logging.StaticLogbackFile=etc/logback.xml" >> etc/system.properties karaf@root()> feature:install framework-logback karaf@root()> feature:uninstall framework # Restart Karaf b) You could patch the PAX Logging Jars (both in system folder as well as in cache) using the approach you provided: $ cd karaf-directory $ zip -q -d $(find . | grep pax-logging-log4j2 | grep jar) org/apache/logging/log4j/core/lookup/JndiLookup.class $ zip -q -d $(grep -rlnw . -e "pax-logging-log4j2" | grep "data/cache/bundle" | grep jar) org/apache/logging/log4j/core/lookup/JndiLookup.class Cheers Aymen Aymen Furter http://www.aymenfurter.ch Am Do., 23. Dez. 2021 um 17:23 Uhr schrieb Paul Spencer < paulspen...@mindspring.com>: > JB, > As stated earlier, upgrading Karaf is not an option in the short term. > > Paul Spencer > > > > On Dec 23, 2021, at 11:21 AM, JB Onofré <j...@nanthrax.net> wrote: > > > > Upgrade to Karaf 4.2.13. > > > >> Le 23 déc. 2021 à 17:02, Paul Spencer <paulspen...@mindspring.com> a > écrit : > >> > >> In light of the updated mitigation for the Log4JShell published by > Log4J[1], specifically "zip -q -d log4j-core-*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class", the insufficient > mitigation measure of setting system property log4j2.formatMsgNoLookups, > and the presents of JndiLookup.class in the pax-logging-log4j2 jar. What is > the suggested mitigation for Karaf 4.2.x and Karaf 4.3.x when upgrading > Karaf is not an option in the short term? > >> > >> *** > >> * Example from Karaf 4.2.9 > >> **** > >> [user@localhost karaf]$ zip -sf > ./system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.6/pax-logging-log4j2-1.11.6.jar > | grep JndiLookup > >> org/apache/logging/log4j/core/lookup/JndiLookup.class > >> [user@localhost karaf]$ > >> > >> Paul Spencer > >> > >> [1] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 > >> > >> > > > >