Hi Raggy,
without upgrading, you can use a workaround.
log4j2.formatMsgNoLookups=true in etc/system.properties should do the trick.
If you want to upgrade, you have to change in etc/startup.properties
(and populate system repo).
Regards
JB
On 13/12/2021 13:42, Raggy Fab wrote:
Hello,
I am aware that the new karaf version 4.3.4 will fix the Log4j
Vulnerability (CVE-2021-44228).
However, I can't upgrade karaf in my project. Is there a hotfix option?
(Ideally only touching log4j)
I tried to swap out Pax Logging:
bundle:install mvn:org.ops4j.pax.logging/pax-logging-log4j2/2.0.11
bundle:install mvn:org.ops4j.pax.logging/pax-logging-api/2.0.11
bundle:uninstall 6
bundle:uninstall 7
Log files are written, but I get class path issues like (Bundles no
longer starting up):
ClassNotFoundException: org.apache.commons.logging.LogFactory
kind regards,
Raggy
