DEV Community

Clayton Walker
Clayton Walker

Posted on

Verify an application has picked up a java property

NOTE: This was written in response to the log4shell vulnerability CVE-2021-44228. -Dlog4j2.noFormatMsgLookup=true is not effective at mitigating the second of the two log4j vulnerabilities, CVE-2021-45046.

I've noticed these past few days people have been asking how to validate if a system property has been set.

Simple method (no code change)

The simplest method would be to add -Dlog4j2.noFormatMsgLookup=true to your JAVA_TOOL_OPTIONS environment variable, then verify that on startup you see the line

Picked up JAVA_TOOL_OPTIONS: -Dlog4j2.formatMsgNoLookups=true
Enter fullscreen mode Exit fullscreen mode

printed to the console.

Code change method

The second way would be to check the system property itself, and print it out on startup. One example would be

System.out.println("log4j2.formatMsgNoLookups=" + System.getProperty("log4j2.formatMsgNoLookups"));
Enter fullscreen mode Exit fullscreen mode

then validating

Enter fullscreen mode Exit fullscreen mode

is printed to the console.

Top comments (0)