When I run
$ java -XX:+UnlockDiagnosticVMOptions -XX:+PrintFlagsFinal -version | grep -i formatMsgNoLookups
I get no formatMsgNoLookups option in output. Does it mean I am not vulnerable to CVE-2021-44228?
Asked
Active
Viewed 1,351 times
-4
george
- 21
- 2
-
1Search SO again with formatMsgNoLookups such as [this](https://stackoverflow.com/questions/70315727/where-to-put-formatmsgnolookups-in-log4j-xml-config-file) and [Apache Logging](https://logging.apache.org/log4j/2.x/security.html) – DuncG Dec 12 '21 at 11:10
-
It's normal you get nothing because formatMsgNoLookups is a system property. log4j picks it up. this article explains well the vulnerability and when you are affected : https://tutoref.com/cve-2021-44228-zero-day-vulnerability/ – Mehdi Dec 14 '21 at 04:46
1 Answers
3
You are conflating things. log4j2.formatMsgNoLookups is a system property which is picked up by the log4j2 logging library. It is not a JVM flag and won't be printed by -XX:+PrintFlagsFinal. If it is enabled, then log4j2 doesn't perform lookups from the format message, which mitigates the vulnerability by disabling this attack vector.
You can only be vulnerable to CVE-2021-44228 if you are actually using log4j2 in your Java application. Let me repeat that: your application is what's vulnerable, not the Java or the JVM itself. On the same JVM, one application can be vulnerable, while another isn't.
(And if it were, the absence of it would rather indicate the opposite: you are vulnerable)
knittl
- 246,190
- 53
- 318
- 364
-
3Further, you are only vulnerable if you’re using the `%m` format pattern in a `PatternLayout`. – Boris the Spider Dec 12 '21 at 10:42