Re: Log4j2 xml configuration with Karaf 4.3.5
Hi
That’s normal : log:* commands only work with default log4j properties style.
Regards
JB
> Le 23 déc. 2021 à 20:05, Jakub Herkel a écrit :
>
> I tried to setup log4j2 via xml configuration but when I tried
> "display" command I could see this exception:
> org.apache.karaf.shell.impl.console.osgi.LoggingCommandSessionListener/org.apache.karaf.shell.impl.console.osgi.LoggingCommandSessionListener
> [DEBUG] Executing command: 'display'
> org.apache.felix.configadmin/org.apache.felix.cm.impl.Log [DEBUG]
> getConfiguration(pid=org.ops4j.pax.logging, location=null)
> org.apache.felix.configadmin/org.apache.felix.cm.impl.Log [DEBUG]
> Found cached configuration org.ops4j.pax.logging bound to ?
> org.apache.felix.configadmin/org.apache.felix.cm.impl.Log [DEBUG]
> getConfiguration(pid=org.ops4j.pax.logging, location=null)
> org.apache.felix.configadmin/org.apache.felix.cm.impl.Log [DEBUG]
> Found cached configuration org.ops4j.pax.logging bound to ?
> org.apache.karaf.shell.impl.console.osgi.LoggingCommandSessionListener/org.apache.karaf.shell.impl.console.osgi.LoggingCommandSessionListener
> [DEBUG] Command: 'display' failed: java.lang.RuntimeException: Unable
> to set level for logger
> org.apache.karaf.shell.support.ShellUtil/org.apache.karaf.shell.support.ShellUtil
> [ERROR] Exception caught while executing command
> java.lang.RuntimeException: Unable to set level for logger
>at
> org.apache.karaf.log.core.internal.LogServiceLog4j2XmlImpl.setLevel(LogServiceLog4j2XmlImpl.java:139)
> ~[?:?]
>at
> org.apache.karaf.log.core.internal.LogServiceImpl.setLevel(LogServiceImpl.java:106)
> ~[?:?]
>at org.apache.karaf.log.command.DisplayLog.execute(DisplayLog.java:74)
> ~[?:?]
>at
> org.apache.karaf.shell.impl.action.command.ActionCommand.execute(ActionCommand.java:84)
> ~[?:?]
>at
> org.apache.karaf.shell.impl.console.osgi.secured.SecuredCommand.execute(SecuredCommand.java:68)
> ~[?:?]
>at
> org.apache.karaf.shell.impl.console.osgi.secured.SecuredCommand.execute(SecuredCommand.java:86)
> ~[?:?]
>at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:599)
> ~[?:?]
>at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:526)
> ~[?:?]
>at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:415) ~[?:?]
>at org.apache.felix.gogo.runtime.Pipe.doCall(Pipe.java:416) ~[?:?]
>at org.apache.felix.gogo.runtime.Pipe.call(Pipe.java:229) ~[?:?]
>at org.apache.felix.gogo.runtime.Pipe.call(Pipe.java:59) ~[?:?]
>at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
>at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
> ~[?:?]
>at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
> ~[?:?]
>at java.lang.Thread.run(Thread.java:833) [?:?]
> Caused by: org.w3c.dom.DOMException: NOT_FOUND_ERR: An attempt is made
> to reference a node in a context where it does not exist.
>at
> com.sun.org.apache.xerces.internal.dom.ParentNode.internalInsertBefore(ParentNode.java:364)
> ~[?:?]
>at
> com.sun.org.apache.xerces.internal.dom.ParentNode.insertBefore(ParentNode.java:286)
> ~[?:?]
>at
> org.apache.karaf.log.core.internal.LogServiceLog4j2XmlImpl.insertIndented(LogServiceLog4j2XmlImpl.java:168)
> ~[?:?]
>at
> org.apache.karaf.log.core.internal.LogServiceLog4j2XmlImpl.setLevel(LogServiceLog4j2XmlImpl.java:121)
> ~[?:?]
>... 15 more
> Error executing command: Unable to set level for logger
>
> my org.ops4j.pax.logging.cfg contains:
> org.ops4j.pax.logging.log4j2.config.file=${karaf.etc}/log4j2.xml
>
> and log4j2.xml:
>
>
>
>
>
>
>logs/service.log
>logs/service.log.%d{-MM}
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> My environment is Fedora Linux F35 and openjdk 17.0.1.
>
> Could someone give me any hint what is wrong with this setup?
>
> best regards
>
> Jakub
Log4j2 xml configuration with Karaf 4.3.5
I tried to setup log4j2 via xml configuration but when I tried
"display" command I could see this exception:
org.apache.karaf.shell.impl.console.osgi.LoggingCommandSessionListener/org.apache.karaf.shell.impl.console.osgi.LoggingCommandSessionListener
[DEBUG] Executing command: 'display'
org.apache.felix.configadmin/org.apache.felix.cm.impl.Log [DEBUG]
getConfiguration(pid=org.ops4j.pax.logging, location=null)
org.apache.felix.configadmin/org.apache.felix.cm.impl.Log [DEBUG]
Found cached configuration org.ops4j.pax.logging bound to ?
org.apache.felix.configadmin/org.apache.felix.cm.impl.Log [DEBUG]
getConfiguration(pid=org.ops4j.pax.logging, location=null)
org.apache.felix.configadmin/org.apache.felix.cm.impl.Log [DEBUG]
Found cached configuration org.ops4j.pax.logging bound to ?
org.apache.karaf.shell.impl.console.osgi.LoggingCommandSessionListener/org.apache.karaf.shell.impl.console.osgi.LoggingCommandSessionListener
[DEBUG] Command: 'display' failed: java.lang.RuntimeException: Unable
to set level for logger
org.apache.karaf.shell.support.ShellUtil/org.apache.karaf.shell.support.ShellUtil
[ERROR] Exception caught while executing command
java.lang.RuntimeException: Unable to set level for logger
at
org.apache.karaf.log.core.internal.LogServiceLog4j2XmlImpl.setLevel(LogServiceLog4j2XmlImpl.java:139)
~[?:?]
at
org.apache.karaf.log.core.internal.LogServiceImpl.setLevel(LogServiceImpl.java:106)
~[?:?]
at org.apache.karaf.log.command.DisplayLog.execute(DisplayLog.java:74)
~[?:?]
at
org.apache.karaf.shell.impl.action.command.ActionCommand.execute(ActionCommand.java:84)
~[?:?]
at
org.apache.karaf.shell.impl.console.osgi.secured.SecuredCommand.execute(SecuredCommand.java:68)
~[?:?]
at
org.apache.karaf.shell.impl.console.osgi.secured.SecuredCommand.execute(SecuredCommand.java:86)
~[?:?]
at org.apache.felix.gogo.runtime.Closure.executeCmd(Closure.java:599) ~[?:?]
at org.apache.felix.gogo.runtime.Closure.executeStatement(Closure.java:526)
~[?:?]
at org.apache.felix.gogo.runtime.Closure.execute(Closure.java:415) ~[?:?]
at org.apache.felix.gogo.runtime.Pipe.doCall(Pipe.java:416) ~[?:?]
at org.apache.felix.gogo.runtime.Pipe.call(Pipe.java:229) ~[?:?]
at org.apache.felix.gogo.runtime.Pipe.call(Pipe.java:59) ~[?:?]
at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
~[?:?]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
~[?:?]
at java.lang.Thread.run(Thread.java:833) [?:?]
Caused by: org.w3c.dom.DOMException: NOT_FOUND_ERR: An attempt is made
to reference a node in a context where it does not exist.
at
com.sun.org.apache.xerces.internal.dom.ParentNode.internalInsertBefore(ParentNode.java:364)
~[?:?]
at
com.sun.org.apache.xerces.internal.dom.ParentNode.insertBefore(ParentNode.java:286)
~[?:?]
at
org.apache.karaf.log.core.internal.LogServiceLog4j2XmlImpl.insertIndented(LogServiceLog4j2XmlImpl.java:168)
~[?:?]
at
org.apache.karaf.log.core.internal.LogServiceLog4j2XmlImpl.setLevel(LogServiceLog4j2XmlImpl.java:121)
~[?:?]
... 15 more
Error executing command: Unable to set level for logger
my org.ops4j.pax.logging.cfg contains:
org.ops4j.pax.logging.log4j2.config.file=${karaf.etc}/log4j2.xml
and log4j2.xml:
logs/service.log
logs/service.log.%d{-MM}
My environment is Fedora Linux F35 and openjdk 17.0.1.
Could someone give me any hint what is wrong with this setup?
best regards
Jakub
Re: Updated mitigation for Log4JShell in Karaf 4.2.x and 4.3.x since setting log4j2.formatMsgNoLookups is a insufficient mitigation measure
It makes sense. As it’s for a short period. Regards JB > Le 23 déc. 2021 à 19:19, Paul Spencer a écrit : > > JB, > Karaf upgrades will be done, just not during the holiday breaks when > compliance resources are scarce. Mitigating the issue by setting > log4j2.formatMsgNoLookups and removing the JndiLoookup.class will allow the > current environment to run while upgrades are be run through each customer's > compliance and deployment processes. > > Thank you and the Karaf team for rapidly releasing updated versions of Karaf > to address the CVE. The updated Karaf will be will incorporated into our > products and pushed through the release and deployment process as quickly as > possible. > > Paul Spencer > >> On Dec 23, 2021, at 12:42 PM, Jean-Baptiste Onofre wrote: >> >> It would mitigate only the JNDI part, not the other CVE (about the lookup). >> >> Anyway, it’s a good workaround. >> >> I don’t understand why you don’t want to upgrade to a new version. It’s >> exactly the purpose of the new releases to address CVE. >> Else, why we would do new releases if you are stuck with old versions. Log4j >> did couple of new releases to address the CVE issue, so it’s worth to update. >> >> Regards >> JB >> Le 23 déc. 2021 à 18:37, Paul Spencer a écrit : >>> >>> JB, >>> Aymen Furter suggested the following: >>> >>> $ cd karaf-directory >>> $ zip -q -d $(find . | grep pax-logging-log4j2 | grep jar) >>> org/apache/logging/log4j/core/lookup/JndiLookup.class >>> $ zip -q -d $(grep -rlnw . -e "pax-logging-log4j2" | grep >>> "data/cache/bundle" | grep jar) >>> org/apache/logging/log4j/core/lookup/JndiLookup.class >>> >>> >>> This looks like a reasonable short term workaround that is relatively easy >>> to implement. Relative to the Karaf and its services, do you see any >>> potential problems with the workaround? >>> >>> >>> Paul Spencer >>> On Dec 23, 2021, at 12:17 PM, JB Onofré wrote: Then create your own custom distro upgrading pax logging. > Le 23 déc. 2021 à 17:23, Paul Spencer a > écrit : > > JB, > As stated earlier, upgrading Karaf is not an option in the short term. > > Paul Spencer > > >> On Dec 23, 2021, at 11:21 AM, JB Onofré wrote: >> >> Upgrade to Karaf 4.2.13. >> Le 23 déc. 2021 à 17:02, Paul Spencer a écrit : >>> >>> In light of the updated mitigation for the Log4JShell published by >>> Log4J[1], specifically "zip -q -d log4j-core-*.jar >>> org/apache/logging/log4j/core/lookup/JndiLookup.class", the >>> insufficient mitigation measure of setting system property >>> log4j2.formatMsgNoLookups, and the presents of JndiLookup.class in the >>> pax-logging-log4j2 jar. What is the suggested mitigation for Karaf >>> 4.2.x and Karaf 4.3.x when upgrading Karaf is not an option in the >>> short term? >>> >>> *** >>> * Example from Karaf 4.2.9 >>> >>> [user@localhost karaf]$ zip -sf >>> ./system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.6/pax-logging-log4j2-1.11.6.jar >>> | grep JndiLookup >>> org/apache/logging/log4j/core/lookup/JndiLookup.class >>> [user@localhost karaf]$ >>> >>> Paul Spencer >>> >>> [1] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 >>> >>> >> > >>> >> >
Re: Updated mitigation for Log4JShell in Karaf 4.2.x and 4.3.x since setting log4j2.formatMsgNoLookups is a insufficient mitigation measure
JB, Karaf upgrades will be done, just not during the holiday breaks when compliance resources are scarce. Mitigating the issue by setting log4j2.formatMsgNoLookups and removing the JndiLoookup.class will allow the current environment to run while upgrades are be run through each customer's compliance and deployment processes. Thank you and the Karaf team for rapidly releasing updated versions of Karaf to address the CVE. The updated Karaf will be will incorporated into our products and pushed through the release and deployment process as quickly as possible. Paul Spencer > On Dec 23, 2021, at 12:42 PM, Jean-Baptiste Onofre wrote: > > It would mitigate only the JNDI part, not the other CVE (about the lookup). > > Anyway, it’s a good workaround. > > I don’t understand why you don’t want to upgrade to a new version. It’s > exactly the purpose of the new releases to address CVE. > Else, why we would do new releases if you are stuck with old versions. Log4j > did couple of new releases to address the CVE issue, so it’s worth to update. > > Regards > JB > >> Le 23 déc. 2021 à 18:37, Paul Spencer a écrit : >> >> JB, >> Aymen Furter suggested the following: >> >> $ cd karaf-directory >> $ zip -q -d $(find . | grep pax-logging-log4j2 | grep jar) >> org/apache/logging/log4j/core/lookup/JndiLookup.class >> $ zip -q -d $(grep -rlnw . -e "pax-logging-log4j2" | grep >> "data/cache/bundle" | grep jar) >> org/apache/logging/log4j/core/lookup/JndiLookup.class >> >> >> This looks like a reasonable short term workaround that is relatively easy >> to implement. Relative to the Karaf and its services, do you see any >> potential problems with the workaround? >> >> >> Paul Spencer >> >>> On Dec 23, 2021, at 12:17 PM, JB Onofré wrote: >>> >>> Then create your own custom distro upgrading pax logging. >>> Le 23 déc. 2021 à 17:23, Paul Spencer a écrit : JB, As stated earlier, upgrading Karaf is not an option in the short term. Paul Spencer > On Dec 23, 2021, at 11:21 AM, JB Onofré wrote: > > Upgrade to Karaf 4.2.13. > >>> Le 23 déc. 2021 à 17:02, Paul Spencer a >>> écrit : >> >> In light of the updated mitigation for the Log4JShell published by >> Log4J[1], specifically "zip -q -d log4j-core-*.jar >> org/apache/logging/log4j/core/lookup/JndiLookup.class", the insufficient >> mitigation measure of setting system property log4j2.formatMsgNoLookups, >> and the presents of JndiLookup.class in the pax-logging-log4j2 jar. What >> is the suggested mitigation for Karaf 4.2.x and Karaf 4.3.x when >> upgrading Karaf is not an option in the short term? >> >> *** >> * Example from Karaf 4.2.9 >> >> [user@localhost karaf]$ zip -sf >> ./system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.6/pax-logging-log4j2-1.11.6.jar >> | grep JndiLookup >> org/apache/logging/log4j/core/lookup/JndiLookup.class >> [user@localhost karaf]$ >> >> Paul Spencer >> >> [1] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 >> >> > >>> >> >
Re: Updated mitigation for Log4JShell in Karaf 4.2.x and 4.3.x since setting log4j2.formatMsgNoLookups is a insufficient mitigation measure
It would mitigate only the JNDI part, not the other CVE (about the lookup). Anyway, it’s a good workaround. I don’t understand why you don’t want to upgrade to a new version. It’s exactly the purpose of the new releases to address CVE. Else, why we would do new releases if you are stuck with old versions. Log4j did couple of new releases to address the CVE issue, so it’s worth to update. Regards JB > Le 23 déc. 2021 à 18:37, Paul Spencer a écrit : > > JB, > Aymen Furter suggested the following: > > $ cd karaf-directory > $ zip -q -d $(find . | grep pax-logging-log4j2 | grep jar) > org/apache/logging/log4j/core/lookup/JndiLookup.class > $ zip -q -d $(grep -rlnw . -e "pax-logging-log4j2" | grep "data/cache/bundle" > | grep jar) org/apache/logging/log4j/core/lookup/JndiLookup.class > > > This looks like a reasonable short term workaround that is relatively easy to > implement. Relative to the Karaf and its services, do you see any potential > problems with the workaround? > > > Paul Spencer > >> On Dec 23, 2021, at 12:17 PM, JB Onofré wrote: >> >> Then create your own custom distro upgrading pax logging. >> >>> Le 23 déc. 2021 à 17:23, Paul Spencer a écrit : >>> >>> JB, >>> As stated earlier, upgrading Karaf is not an option in the short term. >>> >>> Paul Spencer >>> >>> On Dec 23, 2021, at 11:21 AM, JB Onofré wrote: Upgrade to Karaf 4.2.13. >> Le 23 déc. 2021 à 17:02, Paul Spencer a >> écrit : > > In light of the updated mitigation for the Log4JShell published by > Log4J[1], specifically "zip -q -d log4j-core-*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class", the insufficient > mitigation measure of setting system property log4j2.formatMsgNoLookups, > and the presents of JndiLookup.class in the pax-logging-log4j2 jar. What > is the suggested mitigation for Karaf 4.2.x and Karaf 4.3.x when > upgrading Karaf is not an option in the short term? > > *** > * Example from Karaf 4.2.9 > > [user@localhost karaf]$ zip -sf > ./system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.6/pax-logging-log4j2-1.11.6.jar > | grep JndiLookup > org/apache/logging/log4j/core/lookup/JndiLookup.class > [user@localhost karaf]$ > > Paul Spencer > > [1] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 > > >>> >> >
Re: Updated mitigation for Log4JShell in Karaf 4.2.x and 4.3.x since setting log4j2.formatMsgNoLookups is a insufficient mitigation measure
JB, Aymen Furter suggested the following: $ cd karaf-directory $ zip -q -d $(find . | grep pax-logging-log4j2 | grep jar) org/apache/logging/log4j/core/lookup/JndiLookup.class $ zip -q -d $(grep -rlnw . -e "pax-logging-log4j2" | grep "data/cache/bundle" | grep jar) org/apache/logging/log4j/core/lookup/JndiLookup.class This looks like a reasonable short term workaround that is relatively easy to implement. Relative to the Karaf and its services, do you see any potential problems with the workaround? Paul Spencer > On Dec 23, 2021, at 12:17 PM, JB Onofré wrote: > > Then create your own custom distro upgrading pax logging. > >> Le 23 déc. 2021 à 17:23, Paul Spencer a écrit : >> >> JB, >> As stated earlier, upgrading Karaf is not an option in the short term. >> >> Paul Spencer >> >> >>> On Dec 23, 2021, at 11:21 AM, JB Onofré wrote: >>> >>> Upgrade to Karaf 4.2.13. >>> > Le 23 déc. 2021 à 17:02, Paul Spencer a > écrit : In light of the updated mitigation for the Log4JShell published by Log4J[1], specifically "zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class", the insufficient mitigation measure of setting system property log4j2.formatMsgNoLookups, and the presents of JndiLookup.class in the pax-logging-log4j2 jar. What is the suggested mitigation for Karaf 4.2.x and Karaf 4.3.x when upgrading Karaf is not an option in the short term? *** * Example from Karaf 4.2.9 [user@localhost karaf]$ zip -sf ./system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.6/pax-logging-log4j2-1.11.6.jar | grep JndiLookup org/apache/logging/log4j/core/lookup/JndiLookup.class [user@localhost karaf]$ Paul Spencer [1] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 >>> >> >
Re: Updated mitigation for Log4JShell in Karaf 4.2.x and 4.3.x since setting log4j2.formatMsgNoLookups is a insufficient mitigation measure
Then create your own custom distro upgrading pax logging. > Le 23 déc. 2021 à 17:23, Paul Spencer a écrit : > > JB, > As stated earlier, upgrading Karaf is not an option in the short term. > > Paul Spencer > > >> On Dec 23, 2021, at 11:21 AM, JB Onofré wrote: >> >> Upgrade to Karaf 4.2.13. >> Le 23 déc. 2021 à 17:02, Paul Spencer a écrit : >>> >>> In light of the updated mitigation for the Log4JShell published by >>> Log4J[1], specifically "zip -q -d log4j-core-*.jar >>> org/apache/logging/log4j/core/lookup/JndiLookup.class", the insufficient >>> mitigation measure of setting system property log4j2.formatMsgNoLookups, >>> and the presents of JndiLookup.class in the pax-logging-log4j2 jar. What is >>> the suggested mitigation for Karaf 4.2.x and Karaf 4.3.x when upgrading >>> Karaf is not an option in the short term? >>> >>> *** >>> * Example from Karaf 4.2.9 >>> >>> [user@localhost karaf]$ zip -sf >>> ./system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.6/pax-logging-log4j2-1.11.6.jar >>> | grep JndiLookup >>> org/apache/logging/log4j/core/lookup/JndiLookup.class >>> [user@localhost karaf]$ >>> >>> Paul Spencer >>> >>> [1] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 >>> >>> >> >
Re: Updated mitigation for Log4JShell in Karaf 4.2.x and 4.3.x since setting log4j2.formatMsgNoLookups is a insufficient mitigation measure
Hi Paul, my two cents as a karaf user: a) You could switch to logback (this breaks some karaf features like log:xxx commands) karaf@root()> shell:exec curl -o etc/logback.xml https://raw.githubusercontent.com/pedestal/samples/master/auto-reload-server/config/logback.xml karaf@root()> shell:exec echo "org.ops4j.pax.logging.StaticLogbackContext=true" >> etc/system.properties karaf@root()> shell:exec echo "org.ops4j.pax.logging.StaticLogbackFile=etc/logback.xml" >> etc/system.properties karaf@root()> feature:install framework-logback karaf@root()> feature:uninstall framework # Restart Karaf b) You could patch the PAX Logging Jars (both in system folder as well as in cache) using the approach you provided: $ cd karaf-directory $ zip -q -d $(find . | grep pax-logging-log4j2 | grep jar) org/apache/logging/log4j/core/lookup/JndiLookup.class $ zip -q -d $(grep -rlnw . -e "pax-logging-log4j2" | grep "data/cache/bundle" | grep jar) org/apache/logging/log4j/core/lookup/JndiLookup.class Cheers Aymen Aymen Furter http://www.aymenfurter.ch Am Do., 23. Dez. 2021 um 17:23 Uhr schrieb Paul Spencer < paulspen...@mindspring.com>: > JB, > As stated earlier, upgrading Karaf is not an option in the short term. > > Paul Spencer > > > > On Dec 23, 2021, at 11:21 AM, JB Onofré wrote: > > > > Upgrade to Karaf 4.2.13. > > > >> Le 23 déc. 2021 à 17:02, Paul Spencer a > écrit : > >> > >> In light of the updated mitigation for the Log4JShell published by > Log4J[1], specifically "zip -q -d log4j-core-*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class", the insufficient > mitigation measure of setting system property log4j2.formatMsgNoLookups, > and the presents of JndiLookup.class in the pax-logging-log4j2 jar. What is > the suggested mitigation for Karaf 4.2.x and Karaf 4.3.x when upgrading > Karaf is not an option in the short term? > >> > >> *** > >> * Example from Karaf 4.2.9 > >> > >> [user@localhost karaf]$ zip -sf > ./system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.6/pax-logging-log4j2-1.11.6.jar > | grep JndiLookup > >> org/apache/logging/log4j/core/lookup/JndiLookup.class > >> [user@localhost karaf]$ > >> > >> Paul Spencer > >> > >> [1] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 > >> > >> > > > >
Re: Updated mitigation for Log4JShell in Karaf 4.2.x and 4.3.x since setting log4j2.formatMsgNoLookups is a insufficient mitigation measure
JB, As stated earlier, upgrading Karaf is not an option in the short term. Paul Spencer > On Dec 23, 2021, at 11:21 AM, JB Onofré wrote: > > Upgrade to Karaf 4.2.13. > >> Le 23 déc. 2021 à 17:02, Paul Spencer a écrit : >> >> In light of the updated mitigation for the Log4JShell published by >> Log4J[1], specifically "zip -q -d log4j-core-*.jar >> org/apache/logging/log4j/core/lookup/JndiLookup.class", the insufficient >> mitigation measure of setting system property log4j2.formatMsgNoLookups, and >> the presents of JndiLookup.class in the pax-logging-log4j2 jar. What is the >> suggested mitigation for Karaf 4.2.x and Karaf 4.3.x when upgrading Karaf is >> not an option in the short term? >> >> *** >> * Example from Karaf 4.2.9 >> >> [user@localhost karaf]$ zip -sf >> ./system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.6/pax-logging-log4j2-1.11.6.jar >> | grep JndiLookup >> org/apache/logging/log4j/core/lookup/JndiLookup.class >> [user@localhost karaf]$ >> >> Paul Spencer >> >> [1] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 >> >> >
Re: Updated mitigation for Log4JShell in Karaf 4.2.x and 4.3.x since setting log4j2.formatMsgNoLookups is a insufficient mitigation measure
Upgrade to Karaf 4.2.13. > Le 23 déc. 2021 à 17:02, Paul Spencer a écrit : > > In light of the updated mitigation for the Log4JShell published by Log4J[1], > specifically "zip -q -d log4j-core-*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class", the insufficient > mitigation measure of setting system property log4j2.formatMsgNoLookups, and > the presents of JndiLookup.class in the pax-logging-log4j2 jar. What is the > suggested mitigation for Karaf 4.2.x and Karaf 4.3.x when upgrading Karaf is > not an option in the short term? > > *** > * Example from Karaf 4.2.9 > > [user@localhost karaf]$ zip -sf > ./system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.6/pax-logging-log4j2-1.11.6.jar > | grep JndiLookup > org/apache/logging/log4j/core/lookup/JndiLookup.class > [user@localhost karaf]$ > > Paul Spencer > > [1] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 > >
Updated mitigation for Log4JShell in Karaf 4.2.x and 4.3.x since setting log4j2.formatMsgNoLookups is a insufficient mitigation measure
In light of the updated mitigation for the Log4JShell published by Log4J[1], specifically "zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class", the insufficient mitigation measure of setting system property log4j2.formatMsgNoLookups, and the presents of JndiLookup.class in the pax-logging-log4j2 jar. What is the suggested mitigation for Karaf 4.2.x and Karaf 4.3.x when upgrading Karaf is not an option in the short term? *** * Example from Karaf 4.2.9 [user@localhost karaf]$ zip -sf ./system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.6/pax-logging-log4j2-1.11.6.jar | grep JndiLookup org/apache/logging/log4j/core/lookup/JndiLookup.class [user@localhost karaf]$ Paul Spencer [1] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228
