JB, Karaf upgrades will be done, just not during the holiday breaks when compliance resources are scarce. Mitigating the issue by setting log4j2.formatMsgNoLookups and removing the JndiLoookup.class will allow the current environment to run while upgrades are be run through each customer's compliance and deployment processes.
Thank you and the Karaf team for rapidly releasing updated versions of Karaf to address the CVE. The updated Karaf will be will incorporated into our products and pushed through the release and deployment process as quickly as possible. Paul Spencer > On Dec 23, 2021, at 12:42 PM, Jean-Baptiste Onofre <[email protected]> wrote: > > It would mitigate only the JNDI part, not the other CVE (about the lookup). > > Anyway, it’s a good workaround. > > I don’t understand why you don’t want to upgrade to a new version. It’s > exactly the purpose of the new releases to address CVE. > Else, why we would do new releases if you are stuck with old versions. Log4j > did couple of new releases to address the CVE issue, so it’s worth to update. > > Regards > JB > >> Le 23 déc. 2021 à 18:37, Paul Spencer <[email protected]> a écrit : >> >> JB, >> Aymen Furter suggested the following: >> >> $ cd karaf-directory >> $ zip -q -d $(find . | grep pax-logging-log4j2 | grep jar) >> org/apache/logging/log4j/core/lookup/JndiLookup.class >> $ zip -q -d $(grep -rlnw . -e "pax-logging-log4j2" | grep >> "data/cache/bundle" | grep jar) >> org/apache/logging/log4j/core/lookup/JndiLookup.class >> >> >> This looks like a reasonable short term workaround that is relatively easy >> to implement. Relative to the Karaf and its services, do you see any >> potential problems with the workaround? >> >> >> Paul Spencer >> >>> On Dec 23, 2021, at 12:17 PM, JB Onofré <[email protected]> wrote: >>> >>> Then create your own custom distro upgrading pax logging. >>> >>>> Le 23 déc. 2021 à 17:23, Paul Spencer <[email protected]> a écrit >>>> : >>>> >>>> JB, >>>> As stated earlier, upgrading Karaf is not an option in the short term. >>>> >>>> Paul Spencer >>>> >>>> >>>>> On Dec 23, 2021, at 11:21 AM, JB Onofré <[email protected]> wrote: >>>>> >>>>> Upgrade to Karaf 4.2.13. >>>>> >>>>>>> Le 23 déc. 2021 à 17:02, Paul Spencer <[email protected]> a >>>>>>> écrit : >>>>>> >>>>>> In light of the updated mitigation for the Log4JShell published by >>>>>> Log4J[1], specifically "zip -q -d log4j-core-*.jar >>>>>> org/apache/logging/log4j/core/lookup/JndiLookup.class", the insufficient >>>>>> mitigation measure of setting system property log4j2.formatMsgNoLookups, >>>>>> and the presents of JndiLookup.class in the pax-logging-log4j2 jar. What >>>>>> is the suggested mitigation for Karaf 4.2.x and Karaf 4.3.x when >>>>>> upgrading Karaf is not an option in the short term? >>>>>> >>>>>> *** >>>>>> * Example from Karaf 4.2.9 >>>>>> **** >>>>>> [user@localhost karaf]$ zip -sf >>>>>> ./system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.6/pax-logging-log4j2-1.11.6.jar >>>>>> | grep JndiLookup >>>>>> org/apache/logging/log4j/core/lookup/JndiLookup.class >>>>>> [user@localhost karaf]$ >>>>>> >>>>>> Paul Spencer >>>>>> >>>>>> [1] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 >>>>>> >>>>>> >>>>> >>>> >>> >> >
