Closed Prototyped closed 2 years ago
This has been mitigated by https://github.com/openhab/openhab-distro/pull/1343 and will be finally addressed by https://github.com/openhab/openhab-distro/pull/1344. See also https://community.openhab.org/t/openhab-and-the-log4j-security-vulnerability/129901.
How can I do that for openHAB 2? I tried it as you can see in the following:
wget https://repo1.maven.org/maven2/org/ops4j/pax/logging/pax-logging-api/2.0.11/pax-logging-api-2.0.11.jar
wget https://repo1.maven.org/maven2/org/ops4j/pax/logging/pax-logging-log4j2/2.0.11/pax-logging-log4j2-2.0.11.jar
wget https://repo1.maven.org/maven2/org/ops4j/pax/logging/pax-logging-logback/2.0.11/pax-logging-logback-2.0.11.jar
sudo dpkg-divert --local --divert /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-api/1.11.2/pax-logging-api-1.11.2.bad --rename --add /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-api/1.11.2/pax-logging-api-1.11.2.jar
sudo dpkg-divert --local --divert /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.2/pax-logging-log4j2-1.11.2.bad --rename --add /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.2/pax-logging-log4j2-1.11.2.jar
sudo dpkg-divert --local --divert /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-logback/1.11.2/pax-logging-logback-1.11.2.bad --rename --add /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-logback/1.11.2/pax-logging-logback-1.11.2.jar
sudo install -oopenhab -gopenhab -m0644 pax-logging-api-2.0.11.jar /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-api/1.11.2/pax-logging-api-1.11.2.jar
sudo install -oopenhab -gopenhab -m0644 pax-logging-log4j2-2.0.11.jar /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.2/pax-logging-log4j2-1.11.2.jar
sudo install -oopenhab -gopenhab -m0644 pax-logging-logback-2.0.11.jar /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-logback/1.11.2/pax-logging-logback-1.11.2.jar
To make it undo I had also to reinstall openHAB 2.
You'll need to find what uses of log4j there are in OpenHAB 2. Something like this:
dpkg -L openhab2 |
grep -P '\.jar$' |
while read -r jar
do
contents="$(jar tf $jar | fgrep log4j)"
if [[ -n "$contents" ]]
then
echo $contents |
while read -r line
do
echo $jar:$line
done
fi
done
This should tell you which .jar
files include paths containing log4j
in them, and therefore which .jar
s you need to replace.
I suspect pax logging 2.x is not backward compatible with 1.11.x so if you want to try this, you will need to do it with version 1.11.10 rather than 2.0.11. The former version also has the upgraded log4j 2 dependencies.
That said, you may be better off applying the mitigation described in the forum post by editing /etc/default/openhab2
and setting the variable EXTRA_JAVA_OPTS
to -Dlog4j2.formatMsgNoLookups=true
.
Thank you. I have done the mitigation. Also using the 1.11.10 worked for me:
wget https://repo1.maven.org/maven2/org/ops4j/pax/logging/pax-logging-api/1.11.10/pax-logging-api-1.11.10.jar
wget https://repo1.maven.org/maven2/org/ops4j/pax/logging/pax-logging-log4j2/1.11.10/pax-logging-log4j2-1.11.10.jar
wget https://repo1.maven.org/maven2/org/ops4j/pax/logging/pax-logging-logback/1.11.10/pax-logging-logback-1.11.10.jar
sudo dpkg-divert --local --divert /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-api/1.11.2/pax-logging-api-1.11.2.bad --rename --add /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-api/1.11.2/pax-logging-api-1.11.2.jar
sudo dpkg-divert --local --divert /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.2/pax-logging-log4j2-1.11.2.bad --rename --add /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.2/pax-logging-log4j2-1.11.2.jar
sudo dpkg-divert --local --divert /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-logback/1.11.2/pax-logging-logback-1.11.2.bad --rename --add /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-logback/1.11.2/pax-logging-logback-1.11.2.jar
sudo install -oopenhab -gopenhab -m0644 pax-logging-api-1.11.10.jar /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-api/1.11.2/pax-logging-api-1.11.2.jar
sudo install -oopenhab -gopenhab -m0644 pax-logging-log4j2-1.11.10.jar /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.2/pax-logging-log4j2-1.11.2.jar
sudo install -oopenhab -gopenhab -m0644 pax-logging-logback-1.11.10.jar /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-logback/1.11.2/pax-logging-logback-1.11.2.jar
This has been mitigated by openhab/openhab-distro#1343 and will be finally addressed by openhab/openhab-distro#1344. See also https://community.openhab.org/t/openhab-and-the-log4j-security-vulnerability/129901.
It can be mitigated now by openhab/openhab-distro#1350. No need to wait for Karaf as there is mechanism to force specific version of pax logging. More over this way does work also for older/legacy Karaf releases which will be slower in providing security patches.
Issue information:
Please see https://github.com/ops4j/org.ops4j.pax.logging/security/advisories/GHSA-xxfh-x98p-j8fr and https://github.com/advisories/GHSA-jfh8-c2jp-5v3q.
OpenHAB depends upon ops4j pax-logging-{api,log4j2,logback} 2.0.9. There is a critical remote code execution vulnerability rated at severity 10/10 involving log4j < 2.15.0, which pax-logging-log4j2 includes as an uberjar. This is deployed, at minimum, as part of the OpenHAB apt distribution, and very likely in other forms.
Version 2.0.11 of ops4j pax.logging composes version 2.15.0 of log4j classes rather than earlier versions.
Workaround
For those who, like me, use the OpenHAB apt repository, it is possible to work around this by using
dpkg-divert
to rename away the 2.0.9 pax-logging jars included in theopenhab
deb package, and copy the 2.0.11 jars in their place:The 2.0.11 jars can be found in Maven Central: