Our system is a microservices-based system. It has more than 120 services. We were advised to upgrade the log4j version in our microservices to 2.16.0 to mitigate the recent log4j vulnerability. Currently, our services use the 2.11.2 version. Can't we just use -Dlog4j2.formatMsgNoLookups=true to mitigate these vulnerabilities.

CodePudding user response：

Look at the Apache Log4j Security Vulnerabilities page, especially the explanation under the heading "Fixed in Log4j 2.12.2 and Log4j 2.16.0".

It explains that even in 2.15.0, which had the initial fix for CVE-2021-44228, there was a situation possible in which you still had a problem, which has a new ID: CVE-2021-45046

Note that previous mitigations involving configuration such as to set the system property log4j2.formatMsgNoLookups to true do NOT mitigate this specific vulnerability.

To protect yourself against the new CVE, update to 2.16.0.

CodePudding user response：

check this to understand , how log4j word and how to fix it https://www.youtube.com/watch?v=m_AkCbFc8DM https://www.youtube.com/watch?v=2qenXEw26Ig