It would mitigate only the JNDI part, not the other CVE (about the lookup).
Anyway, it’s a good workaround. I don’t understand why you don’t want to upgrade to a new version. It’s exactly the purpose of the new releases to address CVE. Else, why we would do new releases if you are stuck with old versions. Log4j did couple of new releases to address the CVE issue, so it’s worth to update. Regards JB > Le 23 déc. 2021 à 18:37, Paul Spencer <[email protected]> a écrit : > > JB, > Aymen Furter suggested the following: > > $ cd karaf-directory > $ zip -q -d $(find . | grep pax-logging-log4j2 | grep jar) > org/apache/logging/log4j/core/lookup/JndiLookup.class > $ zip -q -d $(grep -rlnw . -e "pax-logging-log4j2" | grep "data/cache/bundle" > | grep jar) org/apache/logging/log4j/core/lookup/JndiLookup.class > > > This looks like a reasonable short term workaround that is relatively easy to > implement. Relative to the Karaf and its services, do you see any potential > problems with the workaround? > > > Paul Spencer > >> On Dec 23, 2021, at 12:17 PM, JB Onofré <[email protected]> wrote: >> >> Then create your own custom distro upgrading pax logging. >> >>> Le 23 déc. 2021 à 17:23, Paul Spencer <[email protected]> a écrit : >>> >>> JB, >>> As stated earlier, upgrading Karaf is not an option in the short term. >>> >>> Paul Spencer >>> >>> >>>> On Dec 23, 2021, at 11:21 AM, JB Onofré <[email protected]> wrote: >>>> >>>> Upgrade to Karaf 4.2.13. >>>> >>>>>> Le 23 déc. 2021 à 17:02, Paul Spencer <[email protected]> a >>>>>> écrit : >>>>> >>>>> In light of the updated mitigation for the Log4JShell published by >>>>> Log4J[1], specifically "zip -q -d log4j-core-*.jar >>>>> org/apache/logging/log4j/core/lookup/JndiLookup.class", the insufficient >>>>> mitigation measure of setting system property log4j2.formatMsgNoLookups, >>>>> and the presents of JndiLookup.class in the pax-logging-log4j2 jar. What >>>>> is the suggested mitigation for Karaf 4.2.x and Karaf 4.3.x when >>>>> upgrading Karaf is not an option in the short term? >>>>> >>>>> *** >>>>> * Example from Karaf 4.2.9 >>>>> **** >>>>> [user@localhost karaf]$ zip -sf >>>>> ./system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.6/pax-logging-log4j2-1.11.6.jar >>>>> | grep JndiLookup >>>>> org/apache/logging/log4j/core/lookup/JndiLookup.class >>>>> [user@localhost karaf]$ >>>>> >>>>> Paul Spencer >>>>> >>>>> [1] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 >>>>> >>>>> >>>> >>> >> >
