Log4JShell Vulnerability

Updated: Dec 16, 2021

Everyone has used log4j libraries for logging in their application or for learning. It is also talk of the town after CVE Remote Code Execution vulnerability added recently.


Remote Code Execution (RCE)

It is one of the most dangerous kind of vulnerabilities, where an attacker will be able to execute any malicious code without your knowledge. This is how kaspersky enclyopedia defines RCE as

One of the most dangerous types of computer vulnerabilities. It allows an attacker to remotely run malicious code within the target system on the local network or over the Internet. Physical access to the device is not required. An RCE vulnerability can lead to loss of control over the system or its individual components, as well as theft of sensitive data.

Resolution/Mitigation Steps

In order to resolve this one and for all, we have to use the latest version of log4j, which is 2.15.0. This is the maven dependency to use:

<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.15.0</version>
</dependency>

UPDATE: Use log4j latest build which is 2.16.0, where they have fixed some edge cases missed in 2.15.0

But let's say you cannot edit the code, you can also mitigate by

  1. For release >=2.10, adding log4j2.formatMsgNoLookups to true as system parameter while running you application like below will prevent from this vulnerability. java -Dlog4j2.formatMsgNoLookups=true abc..

  2. For releases from 2.0_beta9 to 2.10.0, remove org/apache/logging/log4j/core/lookup/JndiLookup.class from the classpath.

  3. For Java version greater than 8u121, it can be protected against RCE by defaulting the com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to false.

  4. Setting the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.


The first and the last point looks the easiest for me.


Its a high chance that your application or the third party libraries your application is using, is in-turn using log4j and that's why it is currently the hottest topic in market right now. Use the above steps to fix this vulnerability as soon as possible.


Please do suggest more content topics of your choice and share your feedback. Also subscribe and appreciate the blog if you like it.

242 views0 comments

Recent Posts

See All