It makes sense. As it’s for a short period. Regards JB
> Le 23 déc. 2021 à 19:19, Paul Spencer <paulspen...@mindspring.com> a écrit : > > JB, > Karaf upgrades will be done, just not during the holiday breaks when > compliance resources are scarce. Mitigating the issue by setting > log4j2.formatMsgNoLookups and removing the JndiLoookup.class will allow the > current environment to run while upgrades are be run through each customer's > compliance and deployment processes. > > Thank you and the Karaf team for rapidly releasing updated versions of Karaf > to address the CVE. The updated Karaf will be will incorporated into our > products and pushed through the release and deployment process as quickly as > possible. > > Paul Spencer > >> On Dec 23, 2021, at 12:42 PM, Jean-Baptiste Onofre <j...@nanthrax.net> wrote: >> >> It would mitigate only the JNDI part, not the other CVE (about the lookup). >> >> Anyway, it’s a good workaround. >> >> I don’t understand why you don’t want to upgrade to a new version. It’s >> exactly the purpose of the new releases to address CVE. >> Else, why we would do new releases if you are stuck with old versions. Log4j >> did couple of new releases to address the CVE issue, so it’s worth to update. >> >> Regards >> JB >> >>>> Le 23 déc. 2021 à 18:37, Paul Spencer <paulspen...@mindspring.com> a écrit >>>> : >>> >>> JB, >>> Aymen Furter suggested the following: >>> >>> $ cd karaf-directory >>> $ zip -q -d $(find . | grep pax-logging-log4j2 | grep jar) >>> org/apache/logging/log4j/core/lookup/JndiLookup.class >>> $ zip -q -d $(grep -rlnw . -e "pax-logging-log4j2" | grep >>> "data/cache/bundle" | grep jar) >>> org/apache/logging/log4j/core/lookup/JndiLookup.class >>> >>> >>> This looks like a reasonable short term workaround that is relatively easy >>> to implement. Relative to the Karaf and its services, do you see any >>> potential problems with the workaround? >>> >>> >>> Paul Spencer >>> >>>> On Dec 23, 2021, at 12:17 PM, JB Onofré <j...@nanthrax.net> wrote: >>>> >>>> Then create your own custom distro upgrading pax logging. >>>> >>>>> Le 23 déc. 2021 à 17:23, Paul Spencer <paulspen...@mindspring.com> a >>>>> écrit : >>>>> >>>>> JB, >>>>> As stated earlier, upgrading Karaf is not an option in the short term. >>>>> >>>>> Paul Spencer >>>>> >>>>> >>>>>> On Dec 23, 2021, at 11:21 AM, JB Onofré <j...@nanthrax.net> wrote: >>>>>> >>>>>> Upgrade to Karaf 4.2.13. >>>>>> >>>>>>>> Le 23 déc. 2021 à 17:02, Paul Spencer <paulspen...@mindspring.com> a >>>>>>>> écrit : >>>>>>> >>>>>>> In light of the updated mitigation for the Log4JShell published by >>>>>>> Log4J[1], specifically "zip -q -d log4j-core-*.jar >>>>>>> org/apache/logging/log4j/core/lookup/JndiLookup.class", the >>>>>>> insufficient mitigation measure of setting system property >>>>>>> log4j2.formatMsgNoLookups, and the presents of JndiLookup.class in the >>>>>>> pax-logging-log4j2 jar. What is the suggested mitigation for Karaf >>>>>>> 4.2.x and Karaf 4.3.x when upgrading Karaf is not an option in the >>>>>>> short term? >>>>>>> >>>>>>> *** >>>>>>> * Example from Karaf 4.2.9 >>>>>>> **** >>>>>>> [user@localhost karaf]$ zip -sf >>>>>>> ./system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.6/pax-logging-log4j2-1.11.6.jar >>>>>>> | grep JndiLookup >>>>>>> org/apache/logging/log4j/core/lookup/JndiLookup.class >>>>>>> [user@localhost karaf]$ >>>>>>> >>>>>>> Paul Spencer >>>>>>> >>>>>>> [1] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
