search

openhab / openhabian

openHABian - empowering the smart home, for Raspberry Pi and Debian systems
https://community.openhab.org/t/13379
ISC License
820 stars 251 forks source link

Upgrade ops4j pax-logging-* libraries to 2.0.11 #1635

Closed Prototyped closed 2 years ago

Prototyped commented 2 years ago

Issue information:

Please see https://github.com/ops4j/org.ops4j.pax.logging/security/advisories/GHSA-xxfh-x98p-j8fr and https://github.com/advisories/GHSA-jfh8-c2jp-5v3q.

OpenHAB depends upon ops4j pax-logging-{api,log4j2,logback} 2.0.9. There is a critical remote code execution vulnerability rated at severity 10/10 involving log4j < 2.15.0, which pax-logging-log4j2 includes as an uberjar. This is deployed, at minimum, as part of the OpenHAB apt distribution, and very likely in other forms.

Version 2.0.11 of ops4j pax.logging composes version 2.15.0 of log4j classes rather than earlier versions.

$ apt policy openhab
openhab:
  Installed: 3.1.0-1
  Candidate: 3.1.0-1
  Version table:
 *** 3.1.0-1 500
        500 https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable/main armhf Packages
        500 https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable/main arm64 Packages
        500 https://openhab.jfrog.io/openhab/openhab-linuxpkg stable/main armhf Packages
        500 https://openhab.jfrog.io/openhab/openhab-linuxpkg stable/main arm64 Packages
        100 /var/lib/dpkg/status
     3.0.2-1 500
        500 https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable/main armhf Packages
        500 https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable/main arm64 Packages
        500 https://openhab.jfrog.io/openhab/openhab-linuxpkg stable/main armhf Packages
        500 https://openhab.jfrog.io/openhab/openhab-linuxpkg stable/main arm64 Packages
     3.0.1-2 500
        500 https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable/main armhf Packages
        500 https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable/main arm64 Packages
        500 https://openhab.jfrog.io/openhab/openhab-linuxpkg stable/main armhf Packages
        500 https://openhab.jfrog.io/openhab/openhab-linuxpkg stable/main arm64 Packages
     3.0.0-1 500
        500 https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable/main armhf Packages
        500 https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable/main arm64 Packages
        500 https://openhab.jfrog.io/openhab/openhab-linuxpkg stable/main armhf Packages
        500 https://openhab.jfrog.io/openhab/openhab-linuxpkg stable/main arm64 Packages
$ dpkg -L openhab | grep -P '\.jar$' | while read -r jar; do contents="$(jar tf $jar | fgrep log4j)"; if ! [[ -z "$contents" ]]; then echo $contents | while read -r line; do echo $jar:$line; done; fi; done
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-logback/2.0.9/pax-logging-logback-2.0.9.jar:ch/qos/logback/classic/log4j/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-logback/2.0.9/pax-logging-logback-2.0.9.jar:ch/qos/logback/classic/log4j/XMLLayout.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:META-INF/services/org.apache.logging.log4j.util.PropertySource
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:META-INF/versions/9/org/apache/logging/log4j/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:META-INF/versions/9/org/apache/logging/log4j/util/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:META-INF/versions/9/org/apache/logging/log4j/util/Base64Util.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:META-INF/versions/9/org/apache/logging/log4j/util/ProcessIdUtil.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:META-INF/versions/9/org/apache/logging/log4j/util/StackLocator.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:META-INF/versions/9/org/apache/logging/log4j/util/internal/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:META-INF/versions/9/org/apache/logging/log4j/util/internal/DefaultObjectInputFilter.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/Appender.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/AppenderSkeleton.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/AsyncAppender$DiscardSummary.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/AsyncAppender$Dispatcher.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/AsyncAppender.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/AuditLevel.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/BasicConfigurator.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/Category.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/CategoryKey.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/ConsoleAppender$SystemErrStream.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/ConsoleAppender$SystemOutStream.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/ConsoleAppender.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar:org/apache/log4j/DailyRollingFileAppender.class
[...]
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/maven/org.apache.logging.log4j/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/maven/org.apache.logging.log4j/log4j-core/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/maven/org.apache.logging.log4j/log4j-core/pom.xml
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/maven/org.ops4j.pax.logging/pax-logging-log4j2/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/maven/org.ops4j.pax.logging/pax-logging-log4j2/pom.properties
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/maven/org.ops4j.pax.logging/pax-logging-log4j2/pom.xml
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/org/apache/logging/log4j/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/org/apache/logging/log4j/core/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/org/apache/logging/log4j/core/config/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/org/apache/logging/log4j/core/config/plugins/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:META-INF/org/apache/logging/log4j/core/config/plugins/Log4j2Plugins.dat
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/AbstractLifeCycle.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/AbstractLogEvent.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/Appender.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/ContextDataInjector.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/Core.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/DefaultLoggerContextAccessor.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/ErrorHandler.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/Filter$Result.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/Filter.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/Layout.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/LifeCycle$State.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/LifeCycle.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/LifeCycle2.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/LogEvent.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/LogEventListener.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/Logger$LoggerProxy.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/Logger$PrivateConfig.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/Logger.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/LoggerContext$1.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/LoggerContext$ThreadContextDataTask.class
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/LoggerContext.class
[...]
/usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar:org/apache/logging/log4j/core/lookup/JndiLookup.class
[...]

Workaround

For those who, like me, use the OpenHAB apt repository, it is possible to work around this by using dpkg-divert to rename away the 2.0.9 pax-logging jars included in the openhab deb package, and copy the 2.0.11 jars in their place:

$ sudo dpkg-divert --local --divert /usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.bad --rename --add /usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar
$ sudo dpkg-divert --local --divert /usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.bad --rename --add /usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar
$ sudo dpkg-divert --local --divert /usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-logback/2.0.9/pax-logging-logback-2.0.9.bad --rename --add /usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-logback/2.0.9/pax-logging-logback-2.0.9.jar
$ sudo install -oopenhab -gopenhab -m0644 pax-logging-api-2.0.11.jar /usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-api/2.0.9/pax-logging-api-2.0.9.jar
$ sudo install -oopenhab -gopenhab -m0644 pax-logging-log4j2-2.0.11.jar /usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar
$ sudo install -oopenhab -gopenhab -m0644 pax-logging-logback-2.0.11.jar /usr/share/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-logback/2.0.9/pax-logging-logback-2.0.9.jar

The 2.0.11 jars can be found in Maven Central:

ecdye commented 2 years ago

@kaikreuzer are you aware of this CVE? If so can you transfer this issue to openHAB-core to be taken care of there.

kaikreuzer commented 2 years ago

Yes, see https://community.openhab.org/t/openhab-and-the-log4j-security-vulnerability/129901.