Home > Software design >  Where to put formatMsgNoLookups in log4j XML config file
Where to put formatMsgNoLookups in log4j XML config file

Time:12-12

I configure my log4j with an xml file and I'm not sure where to add the formatMsgNoLookups=true?

<?xml version="1.0" encoding="UTF-8"?>
<!--  Upload files compare config -->
<configuration status="OFF">
  <appenders>
    <Console name="Console" target="SYSTEM_OUT">
      <PatternLayout pattern="%d{HH:mm:ss} %p - %msg%n"/>
    </Console>

    <!-- http://logging.apache.org/log4j/2.x/manual/appenders.html#RollingFileAppender -->
    <RollingFile name="File" fileName="logs/MyLogFile.log"
                          filePattern="logs/MyLogFile-%d{yyyy-MM-dd}.log"
                 ignoreExceptions="false">
      <PatternLayout>
        <Pattern>%d %p %c{1.} %m%n</Pattern>
      </PatternLayout>
    </RollingFile>
  </appenders>
  <Loggers>
    <Root level="INFO">
      <AppenderRef ref="File"/>
      <AppenderRef ref="Console"/>
    </Root>
  </Loggers>
</configuration>

CodePudding user response:

CVE-2021-44228 Log4Shell Vulnerability

If you can, upgrade to log4j2 version >= 2.15.0.

The Apache logging site suggests workarounds for the JNDI lookup vulnerability in earlier releases of Log4j2:

  1. Set system property log4j2.formatMsgNoLookups when you launch VM, passing as java -Dlog4j2.formatMsgNoLookups=true ... .
  2. Set environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
  3. For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the org/apache/logging/log4j/core/lookup/JndiLookup.class from the classpath - see log4j-core-*.jar.

The second point sounds like it would be the quickest to apply as it could be defined once for each user account that runs your application, though I could not find LOG4J_FORMAT_MSG_NO_LOOKUPS when running a grep on the Java source code for 2.14.0 so perhaps this workaround applies to earlier versions.

CodePudding user response:

As @DuncG commented the option to disable lookups for log4j is not a configuration option but a system property

log4j2.formatMsgNoLookups

Depending on your environment (spring, stand-alone executable, Tomcat web application,…) the way system properties are set may vary. The most simple possibility for starting a Java process from a jar file would be to add

-Dlog4j2.formatMsgNoLookups=true

to your command line:

java -Dlog4j2.formatMsgNoLookups=true -jar myapp.jar
  • Related