Showing posts from December, 2021

Apache Karaf runtime 4.3.5 and 4.2.14 are available, status regarding log4shell

You probably heard about security issue concerning log4j. This vulnerability in log4j is called log4shell. Basically, log4shell exploit gives attackers a simple way to execute code on any vulnerable machine. To exploit the vulnerability, an attacker has to cause the application to save a special string of characters in the log. The log4j community quickly fix this issue by releasing corrected version, starting from log4j 2.15.0 up to 2.17.0. In Apache Karaf runtime, we don't directly use log4j (or any logging framework). Karaf leverages Pax Logging which abstract/package the logging framework in a central logging service. Pax Logging API bundle reshape log4j, logback, slf4j, etc packages. The first step to do is to upgrade the log4j packages in Pax Logging and cut new Pax Logging releases. It's what we did: Pax Logging 2.0.12 has been released, upgrading to log4j 2.17.0 (fixing CVE-2021-45105 and CVE-2021-44228) and logback 1.2.9 (fixing CVE-2021-42550) Pax Logg