Correct - by hotfix I mean updating the log4j version without upgrading to
karaf 4.3.4. Restarting Karaf is not an issue.
Thanks for the hint regarding bundle:update.
I prefer removing the vulnerable log4j from the classpath (which this
procedure achieves)
Am Mo., 13. Dez. 2021 um 14:02 Uhr
By hotfix, you mean patching while running ?
Maybe you can do a bundle:update instead of bundle:install, but
basically correct.
My point is that you don't have to upgrade if you use the workaround
(that can be added at runtime, restart pax-logging bundle).
Regards
JB
On 13/12/2021 14:00,
Hi JB,
OK - Let me summarize.
if I want to do a hotfix, I need to swap pax logging (run level fixed my
previous problem):
bundle:install -l 8 mvn:org.ops4j.pax.logging/pax-logging-log4j2/2.0.11
bundle:install -l 8 mvn:org.ops4j.pax.logging/pax-logging-api/2.0.11
bundle:uninstall 6
Hi Raggy,
without upgrading, you can use a workaround.
log4j2.formatMsgNoLookups=true in etc/system.properties should do the trick.
If you want to upgrade, you have to change in etc/startup.properties
(and populate system repo).
Regards
JB
On 13/12/2021 13:42, Raggy Fab wrote:
Hello,
I
Hello,
I am aware that the new karaf version 4.3.4 will fix the Log4j
Vulnerability (CVE-2021-44228).
However, I can't upgrade karaf in my project. Is there a hotfix option?
(Ideally only touching log4j)
I tried to swap out Pax Logging:
bundle:install