When I run
$ java -XX: UnlockDiagnosticVMOptions -XX: PrintFlagsFinal -version | grep -i formatMsgNoLookups
I get no formatMsgNoLookups option in output. Does it mean I am not vulnerable to CVE-2021-44228?
CodePudding user response:
You are conflating things. log4j2.formatMsgNoLookups
is a system property which is picked up by the log4j2 logging library. It is not a JVM flag and won't be printed by -XX: PrintFlagsFinal
. If it is enabled, then log4j2 doesn't perform lookups from the format message, which mitigates the vulnerability by disabling this attack vector.
You can only be vulnerable to CVE-2021-44228 if you are actually using log4j2 in your Java application. Let me repeat that: your application is what's vulnerable, not the Java or the JVM itself. On the same JVM, one application can be vulnerable, while another isn't.
(And if it were, the absence of it would rather indicate the opposite: you are vulnerable)