Then create your own custom distro upgrading pax logging.
> Le 23 déc. 2021 à 17:23, Paul Spencer <paulspen...@mindspring.com> a écrit :
>
> JB,
> As stated earlier, upgrading Karaf is not an option in the short term.
>
> Paul Spencer
>
>
>> On Dec 23, 2021, at 11:21 AM, JB Onofré <j...@nanthrax.net> wrote:
>>
>> Upgrade to Karaf 4.2.13.
>>
>>>> Le 23 déc. 2021 à 17:02, Paul Spencer <paulspen...@mindspring.com> a écrit
>>>> :
>>>
>>> In light of the updated mitigation for the Log4JShell published by
>>> Log4J[1], specifically "zip -q -d log4j-core-*.jar
>>> org/apache/logging/log4j/core/lookup/JndiLookup.class", the insufficient
>>> mitigation measure of setting system property log4j2.formatMsgNoLookups,
>>> and the presents of JndiLookup.class in the pax-logging-log4j2 jar. What is
>>> the suggested mitigation for Karaf 4.2.x and Karaf 4.3.x when upgrading
>>> Karaf is not an option in the short term?
>>>
>>> ***
>>> * Example from Karaf 4.2.9
>>> ****
>>> [user@localhost karaf]$ zip -sf
>>> ./system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.6/pax-logging-log4j2-1.11.6.jar
>>> | grep JndiLookup
>>> org/apache/logging/log4j/core/lookup/JndiLookup.class
>>> [user@localhost karaf]$
>>>
>>> Paul Spencer
>>>
>>> [1] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228
>>>
>>>
>>
>
