DEV Community 👩‍💻👨‍💻

Clayton Walker
Clayton Walker

Posted on

Verify an application has picked up a java property

NOTE: This was written in response to the log4shell vulnerability CVE-2021-44228. -Dlog4j2.noFormatMsgLookup=true is not effective at mitigating the second of the two log4j vulnerabilities, CVE-2021-45046.

I've noticed these past few days people have been asking how to validate if a system property has been set.

Simple method (no code change)

The simplest method would be to add -Dlog4j2.noFormatMsgLookup=true to your JAVA_TOOL_OPTIONS environment variable, then verify that on startup you see the line

Picked up JAVA_TOOL_OPTIONS: -Dlog4j2.formatMsgNoLookups=true
Enter fullscreen mode Exit fullscreen mode

printed to the console.

Code change method

The second way would be to check the system property itself, and print it out on startup. One example would be

System.out.println("log4j2.formatMsgNoLookups=" + System.getProperty("log4j2.formatMsgNoLookups"));
Enter fullscreen mode Exit fullscreen mode

then validating

log4j2.formatMsgNoLookups=true
Enter fullscreen mode Exit fullscreen mode


is printed to the console.

Top comments (0)

We want your help! Become a Tag Moderator.
Fill out this survey and help us moderate our community by becoming a tag moderator here at DEV.