How can we set the tomcat server 7.0 (java 1.7) or tomcat application so that it is -Dlog4j2.formatMsgNoLookups=true to avoid log4j vulnerability problems.
Should I just add to $CATALINA_BASE/bin/setenv.sh?
CodePudding user response:
That depends on how Tomcat is started. If the startup.sh/catalina.sh
scripts are used (usual in Unix environments), then adding:
CATALINA_OPTS="$CATALINA_OPTS -Dlog4j2.formatMsgNoLookups=true"
in $CATALINA_BASE/bin/setenv.sh
will work. If you are using Windows and start Tomcat as a service it will not.
An alternative universal way is to add a file $CATALINA_BASE/lib/log4j2.component.properties
(see documentation; log4j2.system.properties
will also work, but it is undocumented) and set:
log4j2.formatMsgNoLookups=true
there.