Apache Karaf runtime 4.3.5 and 4.2.14 are available, status regarding log4shell
You probably heard about security issue concerning log4j.
This vulnerability in log4j is called log4shell. Basically, log4shell exploit gives attackers a simple way to execute code on any vulnerable machine. To exploit the vulnerability, an attacker has to cause the application to save a special string of characters in the log.
The log4j community quickly fix this issue by releasing corrected version, starting from log4j 2.15.0 up to 2.17.0.
In Apache Karaf runtime, we don't directly use log4j (or any logging framework). Karaf leverages Pax Logging which abstract/package the logging framework in a central logging service. Pax Logging API bundle reshape log4j, logback, slf4j, etc packages.
The first step to do is to upgrade the log4j packages in Pax Logging and cut new Pax Logging releases. It's what we did:
- Pax Logging 2.0.12 has been released, upgrading to log4j 2.17.0 (fixing CVE-2021-45105 and CVE-2021-44228) and logback 1.2.9 (fixing CVE-2021-42550)
- Pax Logging 1.11.12 has been released, upgrading to log4j 2.17.0 (fixing CVE-2021-45105 and CVE-2021-44228) and logback 1.2.9 (fixing CVE-2021-42550)
Then, we upgraded these Pax Logging releases in Karaf (Karaf 4.3.x uses Pax Logging 2.0.x, and Karaf 4.2.x uses Pax Logging 1.11.x) and we did new Karaf runtime releases:
- Apache Karaf runtime 4.3.5 has been released, upgrading to Pax Logging 2.0.12
- Apache Karaf runtime 4.2.14 has been released, upgrading to Pax Logging 1.11.12
We stronly recommend you to upgrade to these versions. You can find details and download on the Karaf website: https://karaf.apache.org/download.html.
NB: log4j 2.17.1 has been released, fixing couple of compability issue, especially with sl4j. Even if Karaf is not directly impacted thanks to Pax Logging, we will prepare new Pax Logging/Karaf releases to "keep the release pace" ;)