How can I set Dlog4j2.formatMsgNoLookups=true in JVM?

About

Asked 11/12, 2021 at 9:27 Answered 13/12, 2021 at 17:22

In one of my computers, there is JRE 1.8.0_45 and in another machine there is OpenJDK.

I want to set the JVM flag Dlog4j2.formatMsgNoLookups=true, but where can I write this piece of configuration?

Peacoat answered 11/12, 2021 at 9:27 Comment(12)

It goes on the java command line. There is no single place to put that that will fix all of the commands that use Java. – Colous 11/12, 2021 at 9:44

Assuming that you are concerned about the "log4shell" vulnerability, my advice would be to look for the vulnerable log4j2 JAR files and update them to version 2.15 (or later). – Colous 11/12, 2021 at 9:48

(And, seriously 1.8.0_45?? That is many, many security patches behind. Fix that too.) – Colous 11/12, 2021 at 9:51

you can also add -Dlog4j2.formatMsgNoLookups=true to the environment variable JAVA_TOOL_OPTIONS. – Alric 11/12, 2021 at 9:51

Maybe ... but there are issues with using JAVA_TOOL_OPTIONS ... – Colous 11/12, 2021 at 9:52

The latest Java 8 is not vulnerable. But the latest is 1.8.0_311. The Java 8 updates table in en.wikipedia.org/wiki/Java_version_history summarizes the patch releases that include security fixes. Basically ... lots of them. – Colous 11/12, 2021 at 9:53

For the time being, I want to use JAVA_TOOL_OPTIONS with the value -Dlog4j2.formatMsgNoLookups=true. Is this safe to avoid log4j vulnerability? @StephenC Due to legacy applications running on the machine which only runs in older versions but I will add the patches. – Peacoat 11/12, 2021 at 10:8

Given that you'll have to test the System Property change in every application, why not just test against version 2.15+ and make no code changes? See similar – Veron 11/12, 2021 at 17:17

I am using jdk 1.8.0_262 /64 bit - is there any way replicate this issue in local ? or how do i ensure Dlog4j2.formatMsgNoLookups=true fix is working or not ? – Schaller 12/12, 2021 at 7:30

remember that this parameter works only for log4j2 version >=2.10 – Adhesion 13/12, 2021 at 17:59

Disabling lookups with system properties is discouraged since CVE-2021-45046 – Quitrent 15/12, 2021 at 14:43

better use the even newer 2.16 version of log4jcore – Parton 16/12, 2021 at 12:27

If possible, upgrade to Log4j version 2.15.0.

If upgrading is not possible, then ensure the -Dlog4j2.formatMsgNoLookups=true system property is set. Use the this command:

java -Dlog4j2.formatMsgNoLookups=true -jar myapp.jar

Also worth reading on mitigation:

Hoar answered 13/12, 2021 at 17:22 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags