Clayton Walker

Posted on Dec 16, 2021

Verify an application has picked up a java property

#log4shell #java #log4j #log4j2

NOTE: This was written in response to the log4shell vulnerability CVE-2021-44228. -Dlog4j2.noFormatMsgLookup=true is not effective at mitigating the second of the two log4j vulnerabilities, CVE-2021-45046.

I've noticed these past few days people have been asking how to validate if a system property has been set.

Simple method (no code change)

The simplest method would be to add -Dlog4j2.noFormatMsgLookup=true to your JAVA_TOOL_OPTIONS environment variable, then verify that on startup you see the line

Picked up JAVA_TOOL_OPTIONS: -Dlog4j2.formatMsgNoLookups=true

printed to the console.

Code change method

The second way would be to check the system property itself, and print it out on startup. One example would be

System.out.println("log4j2.formatMsgNoLookups=" + System.getProperty("log4j2.formatMsgNoLookups"));

then validating

log4j2.formatMsgNoLookups=true

is printed to the console.

The Essential Toolkit for Front-end Developers

Take a user-centric approach to front-end monitoring that evolves alongside increasingly complex frameworks and single-page applications.

Get The Kit

Top comments (0)

The Future of Digital Art: Merging Blockchain, NFTs, and Open Source Sustainability

Bob Cars(on) - Mar 4

Indie Hackers and the Open-Source NFT Revolution

Rachel Duncan - Mar 4

Intel’s Open Source Hardware and Blockchain Initiatives: Pioneering the Future of Technology

Zhang Wei - Mar 4

Indie Hacking with Open Source Tools: Innovating on a Budget

ashu-commits - Mar 4

DEV Community