[
https://issues.apache.org/jira/browse/LOG4J2-3254?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17462509#comment-17462509
]
Remko Popma commented on LOG4J2-3254:
-------------------------------------
[~4535992] Log4j version 2.12.2 requires Java 7 {_}or later{_}. Log4j 2.17.0
requires Java 8 or later.
For accurate and up to date information, please consult our [security
page|https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105].
By now there are 3 security vulnerabilities reported against Log4j.
Log4j 2.17.0 addresses all 3 of them.
Log4j 2.12.2 addresses 2 of them, and we are planning to release 2.12.3 in the
next few days to also address the 3rd vulnerability (CVE-2021-45105). However,
this 3rd vulnerability can be protected against in configuration.
So, combining Log4j 2.12.2 with a logging configuration that does not use
Context Lookups (like ${ctx:key}) protects against Log4Shell.
By upgrading to these versions you do not need to set
-Dlog4j2.formatMsgNoLookups=true, and
JNDI is disabled by default.
> Need a log4j-core version 2.16 osgi compatible
> ----------------------------------------------
>
> Key: LOG4J2-3254
> URL: https://issues.apache.org/jira/browse/LOG4J2-3254
> Project: Log4j 2
> Issue Type: Improvement
> Components: Core, OSGi
> Affects Versions: 2.16.0
> Reporter: Marco Tenti
> Priority: Major
>
> After the big security issue discovered with log4j2 , we need to update all
> the "old" osgi/karaf installation.
> When i run this piece of coce
> {code:sh}
> osgi:install -s mvn:org.apache.logging.log4j/log4j-core/2.13.0
> {code}
> is work fine with this :
> {code:sh}
> osgi:install -s mvn:org.apache.logging.log4j/log4j-core/2.16.0
> {code}
> I get this error :
> {code:sh}
> Error executing command: Error installing bundles:
> Unable to start bundle
> mvn:org.apache.logging.log4j/log4j-core/2.16.0:
> org.osgi.framework.BundleException: Unable to resolve
> org.apache.logging.log4j.core [521](R 521.0): missing requirement
> [org.apache.logging.log4j.core [521](R 521.0)] osgi.wiring.package;
> (&(osgi.wiring.package=org.apache.logging.log4j)(version>=2.16.0)(!(version>=3.0.0)))
> Unresolved requirements: [[org.apache.logging.log4j.core [521](R 521.0)]
> osgi.wiring.package;
> (&(osgi.wiring.package=org.apache.logging.log4j)(version>=2.16.0)(!(version>=3.0.0)))]
> {code}
> it is a bug ? or i must use some other library ? i try to use [log4j-osgi
> (version
> 2.16)|https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-osgi/2.16.0]
> like this
> {code:sh}
> osgi:install -s mvn:org.apache.logging.log4j/log4j-osgi/2.16.0
> {code}
> it's work fine, but i still get the error from my bundles project:
> {code:sh}
> Error executing command: Error executing command on bundles:
> Error starting bundle 515: Unable to resolve XXX [515](R 515.0):
> missing requirement [XXX [515](R 515.0)] osgi.wiring.package;
> (osgi.wiring.package=org.apache.logging.log4j.core) Unresolved requirements:
> [[XXX [515](R 515.0)] osgi.wiring.package;
> (osgi.wiring.package=org.apache.logging.log4j.core)]
> {code}
> this error is not happening with version 2.13
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
