openHAB and the log4j security vulnerability

Dear all,

You might have read yesterday in the IT press about the critical remote code injection vulnerability in the popular log4j library. This affects a huge amount of Java-based software and servers.

openHAB uses log4j as well (as part of Karaf) for logging, so what exactly does this mean for you?

First of all: For exploiting the vulnerability, an attacker must have access to your server or at least be able to interact in a way with it that would let openHAB log some of his input. So as long as you operate openHAB within your local network, do not expose it to the Internet directly and do not consume arbitrary input from untrusted remote servers, you should be fine. Note that myopenHAB is NOT affected, since it isn’t using Java/log4j.

Any openHAB instance that is publicly available (like http://demo.openhab.org) or which consumes untrusted content from remote servers should be secured against this attack, though.
The current openHAB 3.2 snapshot build #2618 (and thus also the soon to be released 3.2 version) is already immune to the vulnerability. As there is an easy mitigation possible, we decided to not do any patch releases for older openHAB versions as we know that many of you are still running 2.5 and other versions, where we do not have the means to provide patch releases anymore anyhow.

Instead, we want to give you instructions on how to manually patch your existing instance. @Flole was so kind to spend last night on intensely testing the mitigation and summarizing it all in detail for you - huge kudos to him for this effort! Here is what he has prepared for all of you:


For those who want to mitigate the issue right now without updating I have written instructions down (including a simple test to see if it worked at the end of this post): Depending on which Operating System and installation method you are using there are 4 ways to use the workaround:

Linux (package manager installations)

These instructions apply if on your system the file /etc/default/openhab exists, or if you are using openHAB 2 and the file /etc/default/openhab2 exists. If it doesn’t please skip this until the Linux (“portable” method)-section.

In order to mitigate the issue you need to add

-Dlog4j2.formatMsgNoLookups=true

to EXTRA_JAVA_OPTS in /etc/default/openhab . If you are still on openHAB 2.x then that file would be /etc/default/openhab2 .

For example:

EXTRA_JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true" 

If you already have other options in there, you can separate it with a space and add it to the end like this

EXTRA_JAVA_OPTS="-Duser.timezone=Europe/Berlin -Dlog4j2.formatMsgNoLookups=true" 

After that restart openHAB and you are done.

Linux (“portable” method) or macOS

In your start.sh or start_debug.sh add this line

export JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"

right above

exec "${RUNTIME}/bin/karaf" "${@}"

After that restart your openHAB instance.

Windows (not installed as service)

If you are using the start.bat file or start_debug.bat file then you need to add

set EXTRA_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true

in the start.bat or start_debug.bat file right above the

"%RUNTIME%\bin\karaf.bat" %*

line.

After that restart your openHAB instance.

Windows (installed as service)

If you are running openHAB using the service-wrapper then you need to add to your openHAB-wrapper.conf

wrapper.java.additional.XX=-Dlog4j2.formatMsgNoLookups=true

where XX is the next available number in the sequence of lines. So if you have

# Java Parameters
wrapper.java.additional.1=-Dkaraf.home="%KARAF_HOME%"
wrapper.java.additional.2=-Dkaraf.base="%KARAF_BASE%"
wrapper.java.additional.3=-Dkaraf.data="%KARAF_DATA%"
wrapper.java.additional.4=-Dkaraf.etc="%KARAF_ETC%"
wrapper.java.additional.5=-Dcom.sun.management.jmxremote
wrapper.java.additional.6=-Dkaraf.startLocalConsole=false
wrapper.java.additional.7=-Dkaraf.startRemoteShell=true
wrapper.java.additional.8=-Dopenhab.home="%OPENHAB_HOME%"
wrapper.java.additional.9=-Dopenhab.conf="%OPENHAB_HOME%\conf"
wrapper.java.additional.10=-Dopenhab.runtime="%OPENHAB_HOME%\runtime"
wrapper.java.additional.11=-Dopenhab.userdata="%OPENHAB_HOME%\userdata"
wrapper.java.additional.12=-Dopenhab.logdir="%OPENHAB_USERDATA%\logs"
wrapper.java.additional.13=-Dfelix.cm.dir="%OPENHAB_HOME%\userdata\config"
wrapper.java.additional.14=-Dorg.osgi.service.http.port=8080
wrapper.java.additional.15=-Dorg.osgi.service.http.port.secure=8443
wrapper.java.additional.16=-Djava.util.logging.config.file="%KARAF_ETC%\java.util.logging.properties"
wrapper.java.additional.17=-Dkaraf.logs="%OPENHAB_LOGDIR%"
wrapper.java.additional.18=-Dfile.encoding=UTF-8

the next available number would be 19 so you just add

wrapper.java.additional.19=-Dlog4j2.formatMsgNoLookups=true

After that restart your openHAB instance.

How to check if it worked

The easiest way to verify if that worked is to use the karaf command

system:property log4j2.formatMsgNoLookups

if it says anything other than “true”, it did not work. If it says “true” then it worked.


I hope this clarifies all questions that you might have on this topic. If not, feel free to join this thread to clarify anything that you might have on your mind.

Best regards,
Kai

48 Likes

Small update:
We have now also published an official security advisory.

As you can see in it, we have also published the new patch releases 3.0.4 and 3.1.1 for all openHAB users that are on versions 3.0 or 3.1 and that don’t want to apply the manual fix mentioned above.

17 Likes