I’m summing up the workaround that can and should be used until an updated version is available. A decision was made that the release on December 20th will include a fix for this and at this point it is not planned to backport this or release an unplanned update (see Mitigate potential Remote-Code-Execution caused by CVE-2021-44228 by Flole998 · Pull Request #1343 · openhab/openhab-distro · GitHub on how/why that decision was made).
@Kai These are the mitigation instructions I wanted to write for the announcement. So all that’s left is a little introduction on why this is necessary at all. I have tested all 4 methods that I described here myself on openHAB 3.1.0 and they are all working as expected.
For those who want to mitigate the issue right now without updating I have written instructions down (including a simple test to see if it worked at the end of this post): Depending on which Operating System and installation method you are using there are 4 ways to use the workaround:
Linux
These instructions apply if on your system the file /etc/default/openhab
exists, or if you are using openHAB 2 and the file /etc/default/openhab2
exists. If it doesn’t please skip this until the Linux (“portable” method)-section.
In order to mitigate the issue you need to add
-Dlog4j2.formatMsgNoLookups=true
to EXTRA_JAVA_OPTS
in /etc/default/openhab
. If you are still on openHAB 2.x then that file would be /etc/default/openhab2
.
For example:
EXTRA_JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"
If you already have other options in there, you can separate it with a space and add it to the end like this
EXTRA_JAVA_OPTS="-Duser.timezone=Europe/Berlin -Dlog4j2.formatMsgNoLookups=true"
After that restart openHAB and you are done.
Linux (“portable” Method)
In your start.sh or start_debug.sh add this line
export JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"
right above
exec "${RUNTIME}/bin/karaf" "${@}"
After that restart your openHAB instance.
Windows (not installed as service)
If you are using the start.bat file or start_debug.bat file then you need to add
set EXTRA_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true
in the start.bat or start_debug.bat file right above the
"%RUNTIME%\bin\karaf.bat" %*
line.
After that restart your openHAB instance.
Windows (installed as service)
If you are running openHAB using the service-wrapper then you need to add to your openHAB-wrapper.conf
wrapper.java.additional.XX=-Dlog4j2.formatMsgNoLookups=true
where XX is the next available number in the sequence of lines. So if you have
# Java Parameters
wrapper.java.additional.1=-Dkaraf.home="%KARAF_HOME%"
wrapper.java.additional.2=-Dkaraf.base="%KARAF_BASE%"
wrapper.java.additional.3=-Dkaraf.data="%KARAF_DATA%"
wrapper.java.additional.4=-Dkaraf.etc="%KARAF_ETC%"
wrapper.java.additional.5=-Dcom.sun.management.jmxremote
wrapper.java.additional.6=-Dkaraf.startLocalConsole=false
wrapper.java.additional.7=-Dkaraf.startRemoteShell=true
wrapper.java.additional.8=-Dopenhab.home="%OPENHAB_HOME%"
wrapper.java.additional.9=-Dopenhab.conf="%OPENHAB_HOME%\conf"
wrapper.java.additional.10=-Dopenhab.runtime="%OPENHAB_HOME%\runtime"
wrapper.java.additional.11=-Dopenhab.userdata="%OPENHAB_HOME%\userdata"
wrapper.java.additional.12=-Dopenhab.logdir="%OPENHAB_USERDATA%\logs"
wrapper.java.additional.13=-Dfelix.cm.dir="%OPENHAB_HOME%\userdata\config"
wrapper.java.additional.14=-Dorg.osgi.service.http.port=8080
wrapper.java.additional.15=-Dorg.osgi.service.http.port.secure=8443
wrapper.java.additional.16=-Djava.util.logging.config.file="%KARAF_ETC%\java.util.logging.properties"
wrapper.java.additional.17=-Dkaraf.logs="%OPENHAB_LOGDIR%"
wrapper.java.additional.18=-Dfile.encoding=UTF-8
the next available number would be 19 so you just add
wrapper.java.additional.19=-Dlog4j2.formatMsgNoLookups=true
After that restart your openHAB instance.
How to check if it worked
The easiest way to verify if that worked is to use the karaf command
system:property log4j2.formatMsgNoLookups
if it says anything other than “true”, it did not work. If it says “true” then it worked.