DEV Community

Composite
Composite

Posted on • Updated on

How to pass the Log4J2 Vulnerability, quickly!

Apache recommends update quickly to 2.15.0 but If your server is running with java 1.7 or older, DOH!
because log4j 2.15.0 requires Java 8 or later.

Don't worry. here's quick fix for you. your objective is DON'T LOOKUP AND PARSE JDNI LAYOUT FOR PREVENT REMOTE EXECUTION.

log4j.formatMsgNoLookups set to true

You just add system property; log4j.formatMsgNoLookups to true in your source(public static void main), java arguments, etc.
if you're using tomcat, add -Dlog4j.formatMsgNoLookups=true in CATALINA_OPTS. other servlet container app or server will have similar to container arguments to apply it.

this option requires log4j 2.10.0 or later.

%m{nolookups} in the PatternLayout

most apps have seperated log4j config file(xml, yaml, etc.) for manage log environment. it's simple. you should have PatternLayout for log format. just replace %m to %m{nolookups}.
that's it! and restart your app.

this options requires log4j 2.7.0 or later.

Hack log4j-core.jar

If your app have log4j perior to 2.6.x, it will pretty hard to patch it. You must remove JdniLookUp and JdniManager class from log4j-core.jar. you an create these class and fill dummy in your app, or manually build log4j on your own.

Go ahead! and secure your java app now!

References:

Top comments (0)