Apache recommends update quickly to 2.15.0 but If your server is running with java 1.7 or older, DOH!
because log4j 2.15.0 requires Java 8 or later.
Don't worry. here's quick fix for you. your objective is DON'T LOOKUP AND PARSE JDNI LAYOUT FOR PREVENT REMOTE EXECUTION.
log4j.formatMsgNoLookups set to true
You just add system property; log4j.formatMsgNoLookups to true in your source(public static void main), java arguments, etc.
if you're using tomcat, add -Dlog4j.formatMsgNoLookups=true in CATALINA_OPTS. other servlet container app or server will have similar to container arguments to apply it.
this option requires log4j 2.10.0 or later.
%m{nolookups} in the PatternLayout
most apps have seperated log4j config file(xml, yaml, etc.) for manage log environment. it's simple. you should have PatternLayout for log format. just replace %m to %m{nolookups}.
that's it! and restart your app.
this options requires log4j 2.7.0 or later.
Hack log4j-core.jar
If your app have log4j perior to 2.6.x, it will pretty hard to patch it. You must remove JdniLookUp and JdniManager class from log4j-core.jar. you an create these class and fill dummy in your app, or manually build log4j on your own.
Go ahead! and secure your java app now!
References:
Oldest comments (0)