OpenHAB depends upon ops4j pax-logging-{api,log4j2,logback} 2.0.9. There is a critical remote code execution vulnerability rated at severity 10/10 involving log4j < 2.15.0, which pax-logging-log4j2 includes as an uberjar. This is deployed, at minimum, as part of the OpenHAB apt distribution, and very likely in other forms.
Version 2.0.11 of ops4j pax.logging composes version 2.15.0 of log4j classes rather than earlier versions.
For those who, like me, use the OpenHAB apt repository, it is possible to work around this by using dpkg-divert to rename away the 2.0.9 pax-logging jars included in the openhab deb package, and copy the 2.0.11 jars in their place:
Issue information:
Please see https://github.com/ops4j/org.ops4j.pax.logging/security/advisories/GHSA-xxfh-x98p-j8fr and https://github.com/advisories/GHSA-jfh8-c2jp-5v3q.
OpenHAB depends upon ops4j pax-logging-{api,log4j2,logback} 2.0.9. There is a critical remote code execution vulnerability rated at severity 10/10 involving log4j < 2.15.0, which pax-logging-log4j2 includes as an uberjar. This is deployed, at minimum, as part of the OpenHAB apt distribution, and very likely in other forms.
Version 2.0.11 of ops4j pax.logging composes version 2.15.0 of log4j classes rather than earlier versions.
Workaround
For those who, like me, use the OpenHAB apt repository, it is possible to work around this by using
dpkg-divert
to rename away the 2.0.9 pax-logging jars included in theopenhab
deb package, and copy the 2.0.11 jars in their place:The 2.0.11 jars can be found in Maven Central: