Dear all,
You might have read yesterday in the IT press about the critical remote code injection vulnerability in the popular log4j library. This affects a huge amount of Java-based software and servers.
openHAB uses log4j as well (as part of Karaf) for logging, so what exactly does this mean for you?
First of all: For exploiting the vulnerability, an attacker must have access to your server or at least be able to interact in a way with it that would let openHAB log some of his input. So as long as you operate openHAB within your local network, do not expose it to the Internet directly and do not consume arbitrary input from untrusted remote servers, you should be fine. Note that myopenHAB is NOT affected, since it isn’t using Java/log4j.
Any openHAB instance that is publicly available (like http://demo.openhab.org) or which consumes untrusted content from remote servers should be secured against this attack, though.
The current openHAB 3.2 snapshot build #2618 (and thus also the soon to be released 3.2 version) is already immune to the vulnerability. As there is an easy mitigation possible, we decided to not do any patch releases for older openHAB versions as we know that many of you are still running 2.5 and other versions, where we do not have the means to provide patch releases anymore anyhow.
Instead, we want to give you instructions on how to manually patch your existing instance. @Flole was so kind to spend last night on intensely testing the mitigation and summarizing it all in detail for you - huge kudos to him for this effort! Here is what he has prepared for all of you:
For those who want to mitigate the issue right now without updating I have written instructions down (including a simple test to see if it worked at the end of this post): Depending on which Operating System and installation method you are using there are 4 ways to use the workaround:
Linux (package manager installations)
These instructions apply if on your system the file /etc/default/openhab exists, or if you are using openHAB 2 and the file /etc/default/openhab2 exists. If it doesn’t please skip this until the Linux (“portable” method)-section.
In order to mitigate the issue you need to add
-Dlog4j2.formatMsgNoLookups=true
to EXTRA_JAVA_OPTS in /etc/default/openhab . If you are still on openHAB 2.x then that file would be /etc/default/openhab2 .
For example:
EXTRA_JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"
If you already have other options in there, you can separate it with a space and add it to the end like this
EXTRA_JAVA_OPTS="-Duser.timezone=Europe/Berlin -Dlog4j2.formatMsgNoLookups=true"
After that restart openHAB and you are done.
Linux (“portable” method) or macOS
In your start.sh or start_debug.sh add this line
export JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"
right above
exec "${RUNTIME}/bin/karaf" "${@}"
After that restart your openHAB instance.
Windows (not installed as service)
If you are using the start.bat file or start_debug.bat file then you need to add
set EXTRA_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true
in the start.bat or start_debug.bat file right above the
"%RUNTIME%\bin\karaf.bat" %*
line.
After that restart your openHAB instance.
Windows (installed as service)
If you are running openHAB using the service-wrapper then you need to add to your openHAB-wrapper.conf
wrapper.java.additional.XX=-Dlog4j2.formatMsgNoLookups=true
where XX is the next available number in the sequence of lines. So if you have
# Java Parameters
wrapper.java.additional.1=-Dkaraf.home="%KARAF_HOME%"
wrapper.java.additional.2=-Dkaraf.base="%KARAF_BASE%"
wrapper.java.additional.3=-Dkaraf.data="%KARAF_DATA%"
wrapper.java.additional.4=-Dkaraf.etc="%KARAF_ETC%"
wrapper.java.additional.5=-Dcom.sun.management.jmxremote
wrapper.java.additional.6=-Dkaraf.startLocalConsole=false
wrapper.java.additional.7=-Dkaraf.startRemoteShell=true
wrapper.java.additional.8=-Dopenhab.home="%OPENHAB_HOME%"
wrapper.java.additional.9=-Dopenhab.conf="%OPENHAB_HOME%\conf"
wrapper.java.additional.10=-Dopenhab.runtime="%OPENHAB_HOME%\runtime"
wrapper.java.additional.11=-Dopenhab.userdata="%OPENHAB_HOME%\userdata"
wrapper.java.additional.12=-Dopenhab.logdir="%OPENHAB_USERDATA%\logs"
wrapper.java.additional.13=-Dfelix.cm.dir="%OPENHAB_HOME%\userdata\config"
wrapper.java.additional.14=-Dorg.osgi.service.http.port=8080
wrapper.java.additional.15=-Dorg.osgi.service.http.port.secure=8443
wrapper.java.additional.16=-Djava.util.logging.config.file="%KARAF_ETC%\java.util.logging.properties"
wrapper.java.additional.17=-Dkaraf.logs="%OPENHAB_LOGDIR%"
wrapper.java.additional.18=-Dfile.encoding=UTF-8
the next available number would be 19 so you just add
wrapper.java.additional.19=-Dlog4j2.formatMsgNoLookups=true
After that restart your openHAB instance.
How to check if it worked
The easiest way to verify if that worked is to use the karaf command
system:property log4j2.formatMsgNoLookups
if it says anything other than “true”, it did not work. If it says “true” then it worked.
I hope this clarifies all questions that you might have on this topic. If not, feel free to join this thread to clarify anything that you might have on your mind.
Best regards,
Kai