Fixing Log4j Vulnerability

Posted on By Santhosh Ponnam

The easiest way to remediate this is to update to log4j version 2.15.0 or later, as this behavior is now disabled by default.

In previous releases (>2.10) this behavior can be mitigated by setting the system property log4j2.formatMsgNoLookups to true by adding the following Java parameter: -Dlog4j2.formatMsgNoLookups=true

Alternatively, you can mitigate this vulnerability by removing the JndiLookup class from the classpath. You may find more insights on what the Log4jVulnerability and their details in this link

Spring Boot Users:

Spring Boot users are affected by this vulnerability if they have switched the default logging system to Log4J2. The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable.     

Maven

Maven users can upgrade to the latest version of log4j as below which is released on Dec 10th 2021 for the Log4j Vulnerability.

<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.15.0</version>
</dependency>

To check that the override as been applied run ./mvnw dependency:list | grep log4j and check that the version is 2.15.0.

Gradle:

For Gradle users, you can follow these instructions and update the version property, import the BOM or use aresolutionStrategy.

For most users, setting the log4j2.version property will be sufficient:

ext['log4j2.version'] = '2.15.0'

If you’re using Gradle’s platform support instead of our dependency management plugin then you can add a dependency to the Log4J BOM:

implementation(platform(“org.apache.logging.log4j:log4j-bom:2.15.0”))

And if you can’t use either of those methods then you can declare a resolutionStrategy:

configurations.all {
	resolutionStrategy.eachDependency { DependencyResolveDetails details ->
		if (details.requested.group == 'org.apache.logging.log4j') {
			details.useVersion '2.15.0'
		}
	}
}

Whichever method you choose, to check that the override has been applied you can run ./gradlew dependencyInsight –dependency log4j-core and look for version 2.15.0.

Other Options

For users that can’t upgrade, another option is to set thelog4j2.formatMsgNoLookups system property to true. For example, you can start your app using

java -Dlog4j2.formatMsgNoLookups=true -jar myapp.jar

References :

https://santhoshponnam.com/index.php/2021/12/11/log4j-rce-vulnerability/

https://logging.apache.org/log4j/2.x/security.html

Java, Spring Boot Tags:, , , , , ,

Related Posts