Hi JB, OK - Let me summarize.
if I want to do a hotfix, I need to swap pax logging (run level fixed my previous problem): bundle:install -l 8 mvn:org.ops4j.pax.logging/pax-logging-log4j2/2.0.11 bundle:install -l 8 mvn:org.ops4j.pax.logging/pax-logging-api/2.0.11 bundle:uninstall 6 bundle:uninstall 7 Then replace old pax-logging-api and pax-logging-log4j2 entries in startup.properties: mvn\:org.ops4j.pax.logging/pax-logging-log4j2/2.0.11 = 8 mvn\:org.ops4j.pax.logging/pax-logging-api/2.0.11 = 8 Correct? This should be a fairly safe upgrade, even for older Karaf versions, do you agree? Kind Regards, Raggy Am Mo., 13. Dez. 2021 um 13:44 Uhr schrieb Jean-Baptiste Onofré < [email protected]>: > Hi Raggy, > > without upgrading, you can use a workaround. > > log4j2.formatMsgNoLookups=true in etc/system.properties should do the > trick. > > If you want to upgrade, you have to change in etc/startup.properties > (and populate system repo). > > Regards > JB > > On 13/12/2021 13:42, Raggy Fab wrote: > > Hello, > > > > I am aware that the new karaf version 4.3.4 will fix the Log4j > > Vulnerability (CVE-2021-44228). > > > > However, I can't upgrade karaf in my project. Is there a hotfix option? > > (Ideally only touching log4j) > > > > I tried to swap out Pax Logging: > > bundle:install mvn:org.ops4j.pax.logging/pax-logging-log4j2/2.0.11 > > bundle:install mvn:org.ops4j.pax.logging/pax-logging-api/2.0.11 > > bundle:uninstall 6 > > bundle:uninstall 7 > > > > Log files are written, but I get class path issues like (Bundles no > > longer starting up): > > ClassNotFoundException: org.apache.commons.logging.LogFactory > > > > kind regards, > > Raggy >
