Log4j vulnerability

splatch · December 13, 2021, 11:03am

Even shorter version (for 3.0.x):

karaf@root> la -l|grep -i pax.logging
  5 | Active   |   8 | 1.11.6                  | mvn:org.ops4j.pax.logging/pax-logging-api/1.11.6
  6 | Active   |   8 | 1.11.6                  | mvn:org.ops4j.pax.logging/pax-logging-log4j2/1.11.6
karaf@root> update 5 https://repo1.maven.org/maven2/org/ops4j/pax/logging/pax-logging-api/1.11.11/pax-logging-api-1.11.11.jar
karaf@root> update 6 https://repo1.maven.org/maven2/org/ops4j/pax/logging/pax-logging-log4j2/1.11.11/pax-logging-log4j2-1.11.11.jar

For 3.1.x:

karaf@root> la -l|grep -i pax.logging
  5 | Active   |   8 | 2.0.9                  | mvn:org.ops4j.pax.logging/pax-logging-api/2.0.9
  6 | Active   |   8 | 2.0.9                  | mvn:org.ops4j.pax.logging/pax-logging-log4j2/2.0.9
karaf@root> update 5 https://repo1.maven.org/maven2/org/ops4j/pax/logging/pax-logging-api/2.0.12/pax-logging-api-2.0.12.jar
karaf@root> update 6 https://repo1.maven.org/maven2/org/ops4j/pax/logging/pax-logging-log4j2/2.0.12/pax-logging-log4j2-2.0.12.jar

Then restart whole thing. Please note that during update you can see log entries in console. Once second update command is performed and restart is conducted everything should be back to normal. This fix will work as long as you don’t do “clean”. It updates currently running distribution as long as you do not remove caches.
You can’t use addons folder to override distribution files, but you can copy new files into:

$KARAF_HOME/system/org/ops4j/pax/logging/pax-logging-api/1.11.6/pax-logging-api-1.11.6.jar
$KARAF_HOME/system/org/ops4j/pax/logging/pax-logging-api/1.11.6/pax-logging-api-1.11.6.jar

(for OH with package manager under linux $KARAF_HOME will probably be /usr/share/openhab/ or similar, for OH 3.1 pax is in version 2.0.9, so you override these files with 2.0.12).

If you want to fix issue for containers you can do that by mapping downloaded files on host to container filesystem (for OH 3.1):

docker run ... \
    -v $PWD/pax-logging-api-2.0.12.jar:/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar \
    -v $PWD/pax-logging-log4j2-2.0.12.jar:/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar
    ....

Then, when you go into shell you can do headers 5|grep Bundle-Version. It should display 2.0.12 despite of 2.0.9 in URI.