I’m not sure the standard install of 2.5.12 is working anymore. I think some online resource is now missing which is needed on first run. So you can’t get a working version from the downloaded binaries. So I can’t even install that to see if the change to that works…
Sorry, I’m on windows, but linux should be similar.
Go to that directories and create folders named 1.11.13 on each (similar to the existing ones):
C:\OpenHAB2\runtime\system\org\ops4j\pax\logging\pax-logging-api
C:\OpenHAB2\runtime\system\org\ops4j\pax\logging\pax-logging-log4j2
You can check the content of the existing folder to place the right jar file in the right folder.
Go to karaf console and enter:
la -l|grep -i pax.logging
6 | Active | 8 | 1.11.2 | mvn:org.ops4j.pax.logging/pax-logging-api/1.11.2
7 | Active | 8 | 1.11.2 | mvn:org.ops4j.pax.logging/pax-logging-log4j2/1.11.2
Important are the leading numbers 6 and 7 (can differ on your side).
Enter that command in karaf (the numbers must correspond to your setup!)
update 6 mvn:org.ops4j.pax.logging/pax-logging-api/1.11.13
update 7 mvn:org.ops4j.pax.logging/pax-logging-log4j2/1.11.13
Now all logging is gone. Restart OH and all is fine, Logging is here again and you can check in karaf if the right .jar files are running
la -l|grep -i pax.logging
should show you version 1.11.13 now.
Most of this post was also written in the post above by splatch.
Yes, what counts is 4th column (1.11.3) which is taken directly from JAR file. Version you see in last column is URI which is used to retrieve JAR, in practice it points to filesystem location at system/org/ops4j/pax/logging/.... It might be a bit misleading to see two different versions but fastest way to go is simply overriding of existing files. It saves you modification of further files.
I have no recollection whether OH 1 used log4j2 or log4j1. If it used 1 you are fine (though vulnerable to a whole host of other attacks). If it’s 2, OH 1 is definitely going to be vulnerable.
Hello.
I just found those 3 files with ‘log4j’ inside the OpenHAB folder:
feature.xml
"…
id=“org.slf4j.log4j”
download-size=“29”
install-size=“47”
version=“1.7.2.v20130115-1340”
unpack=“false”/>
…
"
artifacts.xml
“… artifact classifier=‘osgi.bundle’ id=‘org.slf4j.log4j’ version=‘1.7.2.v20130115-1340’ …”
And this plugin.
org.slf4j.log4j_1.7.2.v20130115-1340.jar
These XML descriptors are used by Eclipse P2 which is provisioning mechanism used prior switching to Apache Karaf in OH 1.x. Note that org.slf4j.log4j artifact is log4j 1.x binding for slf4j. This is a “shallow” library to catch log4j API calls and forward them to underlying logging library. Above JAR file is not vulnerable to log4j 2.x defect.