I’m not sure the standard install of 2.5.12 is working anymore. I think some online resource is now missing which is needed on first run. So you can’t get a working version from the downloaded binaries. So I can’t even install that to see if the change to that works…
I posted an issue in Installing, for this.
What I’ve done to update to 1.11.13 on OH 2.5.12
Sorry, I’m on windows, but linux should be similar.
Go to that directories and create folders named 1.11.13 on each (similar to the existing ones):
C:\OpenHAB2\runtime\system\org\ops4j\pax\logging\pax-logging-api
C:\OpenHAB2\runtime\system\org\ops4j\pax\logging\pax-logging-log4j2
Download the jar-files from here and put them in the corresponding folter created:
https://repo1.maven.org/maven2/org/ops4j/pax/logging/pax-logging-api/1.11.13/
https://repo1.maven.org/maven2/org/ops4j/pax/logging/pax-logging-log4j2/1.11.13/
You can check the content of the existing folder to place the right jar file in the right folder.
Go to karaf console and enter:
la -l|grep -i pax.logging
6 | Active | 8 | 1.11.2 | mvn:org.ops4j.pax.logging/pax-logging-api/1.11.2
7 | Active | 8 | 1.11.2 | mvn:org.ops4j.pax.logging/pax-logging-log4j2/1.11.2
Important are the leading numbers 6 and 7 (can differ on your side).
Enter that command in karaf (the numbers must correspond to your setup!)
update 6 mvn:org.ops4j.pax.logging/pax-logging-api/1.11.13
update 7 mvn:org.ops4j.pax.logging/pax-logging-log4j2/1.11.13
Now all logging is gone. Restart OH and all is fine, Logging is here again and you can check in karaf if the right .jar files are running
la -l|grep -i pax.logging
should show you version 1.11.13 now.
Most of this post was also written in the post above by splatch.
Thank you for that! Much appreciated.
I did this and seemed to work. It now reports;
Yes, what counts is 4th column (1.11.3) which is taken directly from JAR file. Version you see in last column is URI which is used to retrieve JAR, in practice it points to filesystem location at system/org/ops4j/pax/logging/.... It might be a bit misleading to see two different versions but fastest way to go is simply overriding of existing files. It saves you modification of further files.
thanks! 
Hello. I still using OpenHAB 1.8.
I guess I’m not affected because here used log4j is “too old”.
Please confirm.
I have no recollection whether OH 1 used log4j2 or log4j1. If it used 1 you are fine (though vulnerable to a whole host of other attacks). If it’s 2, OH 1 is definitely going to be vulnerable.
Hello.
I just found those 3 files with ‘log4j’ inside the OpenHAB folder:
feature.xml
"…
id=“org.slf4j.log4j”
download-size=“29”
install-size=“47”
version=“1.7.2.v20130115-1340”
unpack=“false”/>
…
"
artifacts.xml
“… artifact classifier=‘osgi.bundle’ id=‘org.slf4j.log4j’ version=‘1.7.2.v20130115-1340’ …”
And this plugin.
org.slf4j.log4j_1.7.2.v20130115-1340.jar
These XML descriptors are used by Eclipse P2 which is provisioning mechanism used prior switching to Apache Karaf in OH 1.x. Note that org.slf4j.log4j artifact is log4j 1.x binding for slf4j. This is a “shallow” library to catch log4j API calls and forward them to underlying logging library. Above JAR file is not vulnerable to log4j 2.x defect.
This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.
