JB, Aymen Furter suggested the following: $ cd karaf-directory $ zip -q -d $(find . | grep pax-logging-log4j2 | grep jar) org/apache/logging/log4j/core/lookup/JndiLookup.class $ zip -q -d $(grep -rlnw . -e "pax-logging-log4j2" | grep "data/cache/bundle" | grep jar) org/apache/logging/log4j/core/lookup/JndiLookup.class
This looks like a reasonable short term workaround that is relatively easy to implement. Relative to the Karaf and its services, do you see any potential problems with the workaround? Paul Spencer > On Dec 23, 2021, at 12:17 PM, JB Onofré <[email protected]> wrote: > > Then create your own custom distro upgrading pax logging. > >> Le 23 déc. 2021 à 17:23, Paul Spencer <[email protected]> a écrit : >> >> JB, >> As stated earlier, upgrading Karaf is not an option in the short term. >> >> Paul Spencer >> >> >>> On Dec 23, 2021, at 11:21 AM, JB Onofré <[email protected]> wrote: >>> >>> Upgrade to Karaf 4.2.13. >>> >>>>> Le 23 déc. 2021 à 17:02, Paul Spencer <[email protected]> a >>>>> écrit : >>>> >>>> In light of the updated mitigation for the Log4JShell published by >>>> Log4J[1], specifically "zip -q -d log4j-core-*.jar >>>> org/apache/logging/log4j/core/lookup/JndiLookup.class", the insufficient >>>> mitigation measure of setting system property log4j2.formatMsgNoLookups, >>>> and the presents of JndiLookup.class in the pax-logging-log4j2 jar. What >>>> is the suggested mitigation for Karaf 4.2.x and Karaf 4.3.x when upgrading >>>> Karaf is not an option in the short term? >>>> >>>> *** >>>> * Example from Karaf 4.2.9 >>>> **** >>>> [user@localhost karaf]$ zip -sf >>>> ./system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.6/pax-logging-log4j2-1.11.6.jar >>>> | grep JndiLookup >>>> org/apache/logging/log4j/core/lookup/JndiLookup.class >>>> [user@localhost karaf]$ >>>> >>>> Paul Spencer >>>> >>>> [1] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 >>>> >>>> >>> >> >
