Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Upgrade to pax-logging 2.0.15

Description

Our vulnerability scanner reports a log4j vulnerability in the version of pax-logging installed in our 29.0.9 openNMS instance and recommends upgrading to version 2.0.15.

Could you please consider updating this component?

Best regards,

Cyrille

=======================

Reference to previous pax-logging update ticket: https://issues.opennms.org/browse/NMS-13878

=======================

Extract from our vulnerabilty scanner:

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.
     - output : 
  Path              : /usr/share/opennms/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar
  Installed version : 2.14.1
  Fixed version     : 2.15.0

     - update_date : 2022-04-11
     - remediation : Upgrade to Apache Log4j version 2.3.1 / 2.12.3 / 2.15.0 or later, or apply the vendor mitigation.

Acceptance / Success Criteria

None

Lucidchart Diagrams

Activity

Show:

Jeff Gehlbach June 7, 2022 at 3:14 PM

is there anything left to do for this issue? It seems Karaf's override mechanism mitigates any risk from having the old pax-loging JAR, but OTOH in-situ scanning tools will continue identifying that JAR until whichever dependency is responsible for its transitive inclusion gets a bump. Are we content to play whack-a-mole when that happens?

Maybe has thoughts on the matter.

Jeff Gehlbach June 2, 2022 at 8:36 PM

the Karaf docs on overrides explain the mechanism succinctly. In our case, any time pax-logging-log4j2 is called for at any version between 2.0 and 3.0, Karaf will substitute 2.0.14 instead.

Cyrille Bollu May 11, 2022 at 10:26 AM

Hi,

Thank you for your feedbacks.

I don't understand the purpose of this overrides.properties file though. And, how does it work?

Jeff Gehlbach May 3, 2022 at 2:02 PM

Thanks Ben. I'm going to downgrade this issue to Minor severity since it doesn't lead to an actual exposure.

Benjamin Reed May 3, 2022 at 1:52 PM

We can put some post-processing in to delete it to make automated scanners happy, I suppose, but the $OPENNMS_HOME/etc/overrides.properties should ensure it always gets replaced by the good version at runtime.

Details

Assignee

Reporter

Labels

Components

Affects versions

Priority

PagerDuty

Created April 27, 2022 at 7:56 AM
Updated November 10, 2022 at 9:46 PM