You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@karaf.apache.org by Paul Spencer <pa...@mindspring.com> on 2021/12/12 16:54:33 UTC

Karaf 4.3.x "Apache Log4j Remote Code Execution Vulnerability" mitigation?

For users of Karaf 4.3.x, what is the recommended mitigation for "Apache Log4j Remote Code Execution Vulnerability", CVE-2021-44228?

Paul Spencer

Re: Karaf 4.3.x "Apache Log4j Remote Code Execution Vulnerability" mitigation?

Posted by Oleg Cohen <ol...@assurebridge.com>.

Thank  you!

On Dec 12, 2021, at 10:13 AM, Jean-Baptiste Onofre <jb...@nanthrax.net> wrote:

log4j2.formatMsgNoLookups=true in etc/system.properties should do the trick.

Regards
JB

Le 12 déc. 2021 à 18:10, Oleg Cohen <ol...@assurebridge.com> a écrit :

Hi JB,

Thank you for the info.

Do you have an example of how this can be dome in system.properties?

Best,
Oleg

On Dec 12, 2021, at 10:08 AM, JB Onofré <jb...@nanthrax.net> wrote:

You can use system.properties to set the msg format on existing version.

Else Karaf 4.3.4 will include fix by default.

Le 12 déc. 2021 à 17:54, Paul Spencer <pa...@mindspring.com> a écrit :

For users of Karaf 4.3.x, what is the recommended mitigation for "Apache
Log4j Remote Code Execution Vulnerability", CVE-2021-44228?

Paul Spencer

Re: Karaf 4.3.x "Apache Log4j Remote Code Execution Vulnerability" mitigation?

Posted by Jean-Baptiste Onofre <jb...@nanthrax.net>.

log4j2.formatMsgNoLookups=true in etc/system.properties should do the trick.

Regards
JB

> Le 12 déc. 2021 à 18:10, Oleg Cohen <ol...@assurebridge.com> a écrit :
> 
> Hi JB,
> 
> Thank you for the info.
> 
> Do you have an example of how this can be dome in system.properties?
> 
> Best,
> Oleg
> 
>> On Dec 12, 2021, at 10:08 AM, JB Onofré <jb...@nanthrax.net> wrote:
>> 
>> You can use system.properties to set the msg format on existing version. 
>> 
>> Else Karaf 4.3.4 will include fix by default. 
>> 
>>> Le 12 déc. 2021 à 17:54, Paul Spencer <pa...@mindspring.com> a écrit :
>>> 
>>> For users of Karaf 4.3.x, what is the recommended mitigation for "Apache Log4j Remote Code Execution Vulnerability", CVE-2021-44228?
>>> 
>>> Paul Spencer
>>> 
>> 
>

Re: Karaf 4.3.x "Apache Log4j Remote Code Execution Vulnerability" mitigation?

Posted by Oleg Cohen <ol...@assurebridge.com>.

Hi JB,

Thank you for the info.

Do you have an example of how this can be dome in system.properties?

Best,
Oleg

> On Dec 12, 2021, at 10:08 AM, JB Onofré <jb...@nanthrax.net> wrote:
> 
> You can use system.properties to set the msg format on existing version. 
> 
> Else Karaf 4.3.4 will include fix by default. 
> 
>> Le 12 déc. 2021 à 17:54, Paul Spencer <pa...@mindspring.com> a écrit :
>> 
>> For users of Karaf 4.3.x, what is the recommended mitigation for "Apache Log4j Remote Code Execution Vulnerability", CVE-2021-44228?
>> 
>> Paul Spencer
>> 
>

Re: Karaf 4.3.x "Apache Log4j Remote Code Execution Vulnerability" mitigation?

Posted by JB Onofré <jb...@nanthrax.net>.

You can use system.properties to set the msg format on existing version. 

Else Karaf 4.3.4 will include fix by default. 

> Le 12 déc. 2021 à 17:54, Paul Spencer <pa...@mindspring.com> a écrit :
> 
> For users of Karaf 4.3.x, what is the recommended mitigation for "Apache Log4j Remote Code Execution Vulnerability", CVE-2021-44228?
> 
> Paul Spencer
>