6

In one of my computers, there is JRE 1.8.0_45 and in another machine there is OpenJDK.

I want to set the JVM flag Dlog4j2.formatMsgNoLookups=true, but where can I write this piece of configuration?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Simant
  • 3,142
  • 4
  • 32
  • 61
  • It goes on the `java` command line. There is no single place to put that that will fix all of the commands that use Java. – Stephen C Dec 11 '21 at 09:44
  • 6
    Assuming that you are concerned about the "log4shell" vulnerability, my advice would be to look for the vulnerable log4j2 JAR files and update them to version 2.15 (or later). – Stephen C Dec 11 '21 at 09:48
  • 5
    (And, seriously `1.8.0_45`?? That is many, many security patches behind. Fix that too.) – Stephen C Dec 11 '21 at 09:51
  • 1
    you can also add `-Dlog4j2.formatMsgNoLookups=true` to the environment variable `JAVA_TOOL_OPTIONS`. – dan1st Dec 11 '21 at 09:51
  • Maybe ... but there are issues with using `JAVA_TOOL_OPTIONS` ... – Stephen C Dec 11 '21 at 09:52
  • 2
    The latest Java 8 is not vulnerable. But the latest is 1.8.0_311. The Java 8 updates table in https://en.wikipedia.org/wiki/Java_version_history summarizes the patch releases that include security fixes. Basically ... lots of them. – Stephen C Dec 11 '21 at 09:53
  • For the time being, I want to use JAVA_TOOL_OPTIONS with the value -Dlog4j2.formatMsgNoLookups=true. Is this safe to avoid log4j vulnerability? @StephenC Due to legacy applications running on the machine which only runs in older versions but I will add the patches. – Simant Dec 11 '21 at 10:08
  • Given that you'll have to test the System Property change in every application, why not just test against version 2.15+ and make no code changes? See [similar](https://stackoverflow.com/questions/70315727/where-to-put-formatmsgnolookups-in-log4j-xml-config-file/70315976#70315976) – DuncG Dec 11 '21 at 17:17
  • 2
    I am using jdk 1.8.0_262 /64 bit - is there any way replicate this issue in local ? or how do i ensure Dlog4j2.formatMsgNoLookups=true fix is working or not ? – Vasanth Dec 12 '21 at 07:30
  • 1
    remember that this parameter works only for log4j2 version >=2.10 – devwebcl Dec 13 '21 at 17:59
  • Disabling lookups with system properties is discouraged since CVE-2021-45046 – Cani Dec 15 '21 at 14:43
  • better use the even newer 2.16 version of log4jcore – Stimpson Cat Dec 16 '21 at 12:27

1 Answers1

3

If possible, upgrade to Log4j version 2.15.0.

If upgrading is not possible, then ensure the -Dlog4j2.formatMsgNoLookups=true system property is set. Use the this command:

java -Dlog4j2.formatMsgNoLookups=true -jar myapp.jar

Also worth reading on mitigation:

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Raghu Reddy
  • 312
  • 3
  • 7