Background
log4j has been found to be vulnerable with a remote code execution (RCE) possibility.
openHAB uses Karaf, which includes PAX Logging, which in turn uses log4j underneath, so that openHAB itself is exposed to this vulnerability.
Impact
Any openHAB instance that is publicly available or which consumes untrusted content from remote servers is potentially a target of this attack.
Patches
The openHAB patch releases 3.0.4 and 3.1.1 contain the mitigation described in this post.
Workarounds
Updating to the patch releases is optional. The mitigation can easily be applied manually, following the details given here.
References
For more information
If you have any questions or comments about this advisory, please comment on this thread.
Background
log4j has been found to be vulnerable with a remote code execution (RCE) possibility.
openHAB uses Karaf, which includes PAX Logging, which in turn uses log4j underneath, so that openHAB itself is exposed to this vulnerability.
Impact
Any openHAB instance that is publicly available or which consumes untrusted content from remote servers is potentially a target of this attack.
Patches
The openHAB patch releases 3.0.4 and 3.1.1 contain the mitigation described in this post.
Workarounds
Updating to the patch releases is optional. The mitigation can easily be applied manually, following the details given here.
References
For more information
If you have any questions or comments about this advisory, please comment on this thread.