Skip to content

Santhosh Ponnam

Technology Blog

  • Home
  • About
  • Technology
    • Java
    • ORM
  • Privacy Policy
  • Toggle search form
  • hashCode and equals methods in java Java
  • Log4J (RCE) Vulnerability Java
  • HikariCP Connection Pooling for Spring Boot for 1.x version Spring Boot
  • Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team Java
  • Unique Random ‘N’ digit Number generator Java
  • HikariCP Configurations – Database Connection Pooling Installations and Configurations
  • Windows Commands – kill port number Installations and Configurations
  • Why to have a private constructor? Java

Fixing Log4j Vulnerability

Posted on December 11, 2021December 13, 2021 By Santhosh Ponnam No Comments on Fixing Log4j Vulnerability

The easiest way to remediate this is to update to log4j version 2.15.0 or later, as this behavior is now disabled by default.

In previous releases (>2.10) this behavior can be mitigated by setting the system property log4j2.formatMsgNoLookups to true by adding the following Java parameter: -Dlog4j2.formatMsgNoLookups=true

Alternatively, you can mitigate this vulnerability by removing the JndiLookup class from the classpath. You may find more insights on what the Log4jVulnerability and their details in this link

Spring Boot Users:

Spring Boot users are affected by this vulnerability if they have switched the default logging system to Log4J2. The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable.     

Maven

Maven users can upgrade to the latest version of log4j as below which is released on Dec 10th 2021 for the Log4j Vulnerability.

<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.15.0</version>
</dependency>

To check that the override as been applied run ./mvnw dependency:list | grep log4j and check that the version is 2.15.0.

Gradle:

For Gradle users, you can follow these instructions and update the version property, import the BOM or use aresolutionStrategy.

For most users, setting the log4j2.version property will be sufficient:

ext['log4j2.version'] = '2.15.0'

If you’re using Gradle’s platform support instead of our dependency management plugin then you can add a dependency to the Log4J BOM:

implementation(platform(“org.apache.logging.log4j:log4j-bom:2.15.0”))

And if you can’t use either of those methods then you can declare a resolutionStrategy:

configurations.all {
	resolutionStrategy.eachDependency { DependencyResolveDetails details ->
		if (details.requested.group == 'org.apache.logging.log4j') {
			details.useVersion '2.15.0'
		}
	}
}

Whichever method you choose, to check that the override has been applied you can run ./gradlew dependencyInsight –dependency log4j-core and look for version 2.15.0.

Other Options

For users that can’t upgrade, another option is to set thelog4j2.formatMsgNoLookups system property to true. For example, you can start your app using

java -Dlog4j2.formatMsgNoLookups=true -jar myapp.jar

References :

https://santhoshponnam.com/index.php/2021/12/11/log4j-rce-vulnerability/

https://logging.apache.org/log4j/2.x/security.html

Java, Spring Boot Tags:fixinglog4jvulnerability, Java, log4j, log4j vulnerability, log4jfix, log4jrce, springboot

Post navigation

Previous Post: Log4J (RCE) Vulnerability
Next Post: Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team

Related Posts

  • hashCode and equals methods in java Java
  • Log4J (RCE) Vulnerability Java
  • Why to have a private constructor? Java
  • Another Log4j Bug – DoS Java
  • Unique Random ‘N’ digit Number generator Java
  • Setting Environment Variables in Windows Java

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Another Log4j Bug – DoS
  • Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team
  • Fixing Log4j Vulnerability
  • Log4J (RCE) Vulnerability
  • JPA vs Hibernate – Specification Vs Implementation

Categories

  • Installations and Configurations
  • Java
  • ORM
  • Spring Boot
  • Spring Boot HikariCP Connection Pooling

Archives

  • December 2021
  • August 2021
  • November 2020
  • March 2020
  • August 2018
  • November 2016
  • August 2016

Recent Posts

  • Another Log4j Bug – DoS
  • Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team
  • Fixing Log4j Vulnerability
  • Log4J (RCE) Vulnerability
  • JPA vs Hibernate – Specification Vs Implementation

Categories

  • Installations and Configurations
  • Java
  • ORM
  • Spring Boot
  • Spring Boot HikariCP Connection Pooling

Archives

  • December 2021
  • August 2021
  • November 2020
  • March 2020
  • August 2018
  • November 2016
  • August 2016




Recent Posts

  • Another Log4j Bug – DoS
  • Log4j Vulnerability / Version Upgrade to 2.16.0 by Apache Team
  • Fixing Log4j Vulnerability
  • Log4J (RCE) Vulnerability
  • JPA vs Hibernate – Specification Vs Implementation

Categories

  • Installations and Configurations
  • Java
  • ORM
  • Spring Boot
  • Spring Boot HikariCP Connection Pooling
  • Unique Random ‘N’ digit Number generator Java
  • Sonar Qube – Code Coverage and Code Quality Tool Installations and Configurations
  • HikariCP Connection Pooling for Spring Boot for 1.x version Spring Boot
  • Another Log4j Bug – DoS Java
  • Windows Commands – kill port number Installations and Configurations
  • Log4J (RCE) Vulnerability Java
  • HikariCP Configurations – Database Connection Pooling Installations and Configurations
  • hashCode and equals methods in java Java

Copyright © 2023 Santhosh Ponnam.

Powered by PressBook News WordPress theme