I configure my log4j with an xml file and I'm not sure where to add the formatMsgNoLookups=true?
<?xml version="1.0" encoding="UTF-8"?>
<!-- Upload files compare config -->
<configuration status="OFF">
<appenders>
<Console name="Console" target="SYSTEM_OUT">
<PatternLayout pattern="%d{HH:mm:ss} %p - %msg%n"/>
</Console>
<!-- http://logging.apache.org/log4j/2.x/manual/appenders.html#RollingFileAppender -->
<RollingFile name="File" fileName="logs/MyLogFile.log"
filePattern="logs/MyLogFile-%d{yyyy-MM-dd}.log"
ignoreExceptions="false">
<PatternLayout>
<Pattern>%d %p %c{1.} %m%n</Pattern>
</PatternLayout>
</RollingFile>
</appenders>
<Loggers>
<Root level="INFO">
<AppenderRef ref="File"/>
<AppenderRef ref="Console"/>
</Root>
</Loggers>
</configuration>
CodePudding user response:
CVE-2021-44228 Log4Shell Vulnerability
If you can, upgrade to log4j2 version >= 2.15.0
.
The Apache logging site suggests workarounds for the JNDI lookup vulnerability in earlier releases of Log4j2:
- Set system property
log4j2.formatMsgNoLookups
when you launch VM, passing asjava -Dlog4j2.formatMsgNoLookups=true ...
. - Set environment variable
LOG4J_FORMAT_MSG_NO_LOOKUPS
to true. - For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the
org/apache/logging/log4j/core/lookup/JndiLookup.class
from the classpath - seelog4j-core-*.jar
.
The second point sounds like it would be the quickest to apply as it could be defined once for each user account that runs your application, though I could not find LOG4J_FORMAT_MSG_NO_LOOKUPS
when running a grep
on the Java source code for 2.14.0
so perhaps this workaround applies to earlier versions.
CodePudding user response:
As @DuncG commented the option to disable lookups for log4j is not a configuration option but a system property
log4j2.formatMsgNoLookups
Depending on your environment (spring, stand-alone executable, Tomcat web application,…) the way system properties are set may vary. The most simple possibility for starting a Java process from a jar file would be to add
-Dlog4j2.formatMsgNoLookups=true
to your command line:
java -Dlog4j2.formatMsgNoLookups=true -jar myapp.jar