If you ask me, the proper fix for this vulnerability does not require openhab to wait for Karaf release. Solution is here: Override pax logging version to address #1349. by splatch · Pull Request #1350 · openhab/openhab-distro · GitHub. It forces use of newest release of pax logging which contains fixed version of log4j.
Note old version of pax is still installed in filesystem, it can be removed later on as its early banishment causes build to fail.