top of page

Log4JShell Vulnerability

Updated: Dec 16, 2021

Everyone has used log4j libraries for logging in their application or for learning. It is also talk of the town after CVE Remote Code Execution vulnerability added recently.

Remote Code Execution (RCE)

It is one of the most dangerous kind of vulnerabilities, where an attacker will be able to execute any malicious code without your knowledge. This is how kaspersky enclyopedia defines RCE as

Resolution/Mitigation Steps

In order to resolve this one and for all, we have to use the latest version of log4j, which is 2.15.0. This is the maven dependency to use:


UPDATE: Use log4j latest build which is 2.16.0, where they have fixed some edge cases missed in 2.15.0

But let's say you cannot edit the code, you can also mitigate by

  1. For release >=2.10, adding log4j2.formatMsgNoLookups to true as system parameter while running you application like below will prevent from this vulnerability. java -Dlog4j2.formatMsgNoLookups=true abc..

  2. For releases from 2.0_beta9 to 2.10.0, remove org/apache/logging/log4j/core/lookup/JndiLookup.class from the classpath.

  3. For Java version greater than 8u121, it can be protected against RCE by defaulting the com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to false.

  4. Setting the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.

The first and the last point looks the easiest for me.

Its a high chance that your application or the third party libraries your application is using, is in-turn using log4j and that's why it is currently the hottest topic in market right now. Use the above steps to fix this vulnerability as soon as possible.

Please do suggest more content topics of your choice and share your feedback. Also subscribe and appreciate the blog if you like it.

249 views0 comments

Recent Posts

See All


bottom of page