Upgrade ops4j pax-logging-* libraries to 2.0.11

[Prototyped]

Issue information:

Please see https://github.com/ops4j/org.ops4j.pax.logging/security/advisories/GHSA-xxfh-x98p-j8fr and https://github.com/advisories/GHSA-jfh8-c2jp-5v3q.

OpenHAB depends upon ops4j pax-logging-{api,log4j2,logback} 2.0.9. There is a critical remote code execution vulnerability rated at severity 10/10 involving log4j < 2.15.0, which pax-logging-log4j2 includes as an uberjar. This is deployed, at minimum, as part of the OpenHAB apt distribution, and very likely in other forms.

Version 2.0.11 of ops4j pax.logging composes version 2.15.0 of log4j classes rather than earlier versions.

$ apt policy openhab
openhab:
  Installed: 3.1.0-1
  Candidate: 3.1.0-1
  Version table:
 *** 3.1.0-1 500
        500 https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable/main armhf Packages
        500 https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable/main arm64 Packages
        500 https://openhab.jfrog.io/openhab/openhab-linuxpkg stable/main armhf Packages
        500 https://openhab.jfrog.io/openhab/openhab-linuxpkg stable/main arm64 Packages
        100 /var/lib/dpkg/status
     3.0.2-1 500
        500 https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable/main armhf Packages
        500 https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable/main arm64 Packages
        500 https://openhab.jfrog.io/openhab/openhab-linuxpkg stable/main armhf Packages
        500 https://openhab.jfrog.io/openhab/openhab-linuxpkg stable/main arm64 Packages
     3.0.1-2 500
        500 https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable/main armhf Packages
        500 https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable/main arm64 Packages
        500 https://openhab.jfrog.io/openhab/openhab-linuxpkg stable/main armhf Packages
        500 https://openhab.jfrog.io/openhab/openhab-linuxpkg stable/main arm64 Packages
     3.0.0-1 500
        500 https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable/main armhf Packages
        500 https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable/main arm64 Packages
        500 https://openhab.jfrog.io/openhab/openhab-linuxpkg stable/main armhf Packages
        500 https://openhab.jfrog.io/openhab/openhab-linuxpkg stable/main arm64 Packages
$ dpkg -L openhab | grep -P '\.jar$' | while read -r jar; do contents="$(jar tf $jar | fgrep log4j)"; if ! [[ -z "$contents" ]]; then echo $contents | while read -r line; do echo $jar:$line; done; fi; done
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-logback/2.0.9/pax-logging-logback-2.0.9.jar:ch/qos/logback/classic/log4j/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-logback/2.0.9/pax-logging-logback-2.0.9.jar:ch/qos/logback/classic/log4j/XMLLayout.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:META-INF/services/org.apache.logging.log4j.util.PropertySource
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:META-INF/versions/9/org/apache/logging/log4j/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:META-INF/versions/9/org/apache/logging/log4j/util/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:META-INF/versions/9/org/apache/logging/log4j/util/Base64Util.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:META-INF/versions/9/org/apache/logging/log4j/util/ProcessIdUtil.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:META-INF/versions/9/org/apache/logging/log4j/util/StackLocator.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:META-INF/versions/9/org/apache/logging/log4j/util/internal/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:META-INF/versions/9/org/apache/logging/log4j/util/internal/DefaultObjectInputFilter.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/Appender.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/AppenderSkeleton.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/AsyncAppender$DiscardSummary.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/AsyncAppender$Dispatcher.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/AsyncAppender.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/AuditLevel.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/BasicConfigurator.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/Category.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/CategoryKey.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/ConsoleAppender$SystemErrStream.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/ConsoleAppender$SystemOutStream.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/ConsoleAppender.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/DailyRollingFileAppender.class
[...]
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/maven/org.apache.logging.log4j/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/maven/org.apache.logging.log4j/log4j-core/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/maven/org.apache.logging.log4j/log4j-core/pom.xml
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/maven/org.ops4j.pax.logging/pax-logging-log4j2/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/maven/org.ops4j.pax.logging/pax-logging-log4j2/pom.properties
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/maven/org.ops4j.pax.logging/pax-logging-log4j2/pom.xml
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/org/apache/logging/log4j/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/org/apache/logging/log4j/core/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/org/apache/logging/log4j/core/config/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/org/apache/logging/log4j/core/config/plugins/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/org/apache/logging/log4j/core/config/plugins/Log4j2Plugins.dat
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/AbstractLifeCycle.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/AbstractLogEvent.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/Appender.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/ContextDataInjector.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/Core.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/DefaultLoggerContextAccessor.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/ErrorHandler.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/Filter$Result.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/Filter.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/Layout.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/LifeCycle$State.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/LifeCycle.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/LifeCycle2.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/LogEvent.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/LogEventListener.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/Logger$LoggerProxy.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/Logger$PrivateConfig.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/Logger.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/LoggerContext$1.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/LoggerContext$ThreadContextDataTask.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/LoggerContext.class
[...]
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/lookup/JndiLookup.class
[...]

Workaround

For those who, like me, use the OpenHAB apt repository, it is possible to work around this by using dpkg-divert to rename away the 2.0.9 pax-logging jars included in the openhab deb package, and copy the 2.0.11 jars in their place:

$ sudo dpkg-divert --local --divert /usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.bad --rename --add /usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar
$ sudo dpkg-divert --local --divert /usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.bad --rename --add /usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar
$ sudo dpkg-divert --local --divert /usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-logback/2.0.9/pax-logging-logback-2.0.9.bad --rename --add /usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-logback/2.0.9/pax-logging-logback-2.0.9.jar
$ sudo install -oopenhab -gopenhab -m0644 pax-logging-api-2.0.11.jar /usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar
$ sudo install -oopenhab -gopenhab -m0644 pax-logging-log4j2-2.0.11.jar /usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar
$ sudo install -oopenhab -gopenhab -m0644 pax-logging-logback-2.0.11.jar /usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-logback/2.0.9/pax-logging-logback-2.0.9.jar

The 2.0.11 jars can be found in Maven Central:

• https://repo1.maven.org/maven2/org/ops4j/pax/logging/pax-logging-api/2.0.11/pax-logging-api-2.0.11.jar
• https://repo1.maven.org/maven2/org/ops4j/pax/logging/pax-logging-log4j2/2.0.11/pax-logging-log4j2-2.0.11.jar
• https://repo1.maven.org/maven2/org/ops4j/pax/logging/pax-logging-logback/2.0.11/pax-logging-logback-2.0.11.jar

[kaikreuzer]

This has been mitigated by https://github.com/openhab/openhab-distro/pull/1343 and will be finally addressed by https://github.com/openhab/openhab-distro/pull/1344. See also https://community.openhab.org/t/openhab-and-the-log4j-security-vulnerability/129901.

[Michdo93]

How can I do that for openHAB 2? I tried it as you can see in the following:

wget https://repo1.maven.org/maven2/org/ops4j/pax/logging/pax-logging-api/2.0.11/pax-logging-api-2.0.11.jar
wget https://repo1.maven.org/maven2/org/ops4j/pax/logging/pax-logging-log4j2/2.0.11/pax-logging-log4j2-2.0.11.jar
wget https://repo1.maven.org/maven2/org/ops4j/pax/logging/pax-logging-logback/2.0.11/pax-logging-logback-2.0.11.jar

sudo dpkg-divert --local --divert /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-api/1.11.2/pax-logging-api-1.11.2.bad --rename --add /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-api/1.11.2/pax-logging-api-1.11.2.jar
sudo dpkg-divert --local --divert /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.2/pax-logging-log4j2-1.11.2.bad --rename --add /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.2/pax-logging-log4j2-1.11.2.jar
sudo dpkg-divert --local --divert /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-logback/1.11.2/pax-logging-logback-1.11.2.bad --rename --add /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-logback/1.11.2/pax-logging-logback-1.11.2.jar

sudo install -oopenhab -gopenhab -m0644 pax-logging-api-2.0.11.jar /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-api/1.11.2/pax-logging-api-1.11.2.jar
sudo install -oopenhab -gopenhab -m0644 pax-logging-log4j2-2.0.11.jar /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.2/pax-logging-log4j2-1.11.2.jar
sudo install -oopenhab -gopenhab -m0644 pax-logging-logback-2.0.11.jar /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-logback/1.11.2/pax-logging-logback-1.11.2.jar

To make it undo I had also to reinstall openHAB 2.

[Prototyped]

You'll need to find what uses of log4j there are in OpenHAB 2. Something like this:

dpkg -L openhab2 |
    grep -P '\.jar$' |
    while read -r jar
    do
        contents="$(jar tf $jar | fgrep log4j)"
        if [[ -n "$contents" ]]
        then
            echo $contents |
                while read -r line
                do
                    echo $jar:$line
                done
        fi
    done

This should tell you which .jar files include paths containing log4j in them, and therefore which .jars you need to replace.

I suspect pax logging 2.x is not backward compatible with 1.11.x so if you want to try this, you will need to do it with version 1.11.10 rather than 2.0.11. The former version also has the upgraded log4j 2 dependencies.

That said, you may be better off applying the mitigation described in the forum post by editing /etc/default/openhab2 and setting the variable EXTRA_JAVA_OPTS to -Dlog4j2.formatMsgNoLookups=true.

[Michdo93]

Thank you. I have done the mitigation. Also using the 1.11.10 worked for me:

wget https://repo1.maven.org/maven2/org/ops4j/pax/logging/pax-logging-api/1.11.10/pax-logging-api-1.11.10.jar
wget https://repo1.maven.org/maven2/org/ops4j/pax/logging/pax-logging-log4j2/1.11.10/pax-logging-log4j2-1.11.10.jar
wget https://repo1.maven.org/maven2/org/ops4j/pax/logging/pax-logging-logback/1.11.10/pax-logging-logback-1.11.10.jar

sudo dpkg-divert --local --divert /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-api/1.11.2/pax-logging-api-1.11.2.bad --rename --add /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-api/1.11.2/pax-logging-api-1.11.2.jar
sudo dpkg-divert --local --divert /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.2/pax-logging-log4j2-1.11.2.bad --rename --add /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.2/pax-logging-log4j2-1.11.2.jar
sudo dpkg-divert --local --divert /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-logback/1.11.2/pax-logging-logback-1.11.2.bad --rename --add /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-logback/1.11.2/pax-logging-logback-1.11.2.jar

sudo install -oopenhab -gopenhab -m0644 pax-logging-api-1.11.10.jar /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-api/1.11.2/pax-logging-api-1.11.2.jar
sudo install -oopenhab -gopenhab -m0644 pax-logging-log4j2-1.11.10.jar /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/1.11.2/pax-logging-log4j2-1.11.2.jar
sudo install -oopenhab -gopenhab -m0644 pax-logging-logback-1.11.10.jar /usr/share/openhab2/runtime/system/org/ops4j/pax/logging/pax-logging-logback/1.11.2/pax-logging-logback-1.11.2.jar

[splatch]

This has been mitigated by openhab/openhab-distro#1343 and will be finally addressed by openhab/openhab-distro#1344. See also https://community.openhab.org/t/openhab-and-the-log4j-security-vulnerability/129901.

It can be mitigated now by openhab/openhab-distro#1350. No need to wait for Karaf as there is mechanism to force specific version of pax logging. More over this way does work also for older/legacy Karaf releases which will be slower in providing security patches.