How to set Dlog4j2.formatMsgNoLookups=true in JVM?
Question
In one of my computers, there is Jre1.8.0_45 and in another machine there is OpenJDK.
I want to set JVM flag Dlog4j2.formatMsgNoLookups=true but I don't know where to write this piece of configuration.
Can anybody guide me on this?
2 answers
solution1
0 2021-12-13 17:22:43
If possible, upgrade to Log4J version 2.15.0.
If upgrading is not possible, then ensure the -Dlog4j2.formatMsgNoLookups=true system property is set. using below command.
java -Dlog4j2.formatMsgNoLookups=true -jar myapp.jar
Also worth reading on mitigation
https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/
solution2
0 2021-12-14 16:45:13
If possible, upgrade to Log4j version 2.15.0.
Log4j 2.10 and above
If upgrading is not possible, then ensure the -Dlog4j2.formatMsgNoLookups=true system property is set using below command.
java -Dlog4j2.formatMsgNoLookups=true -jar myapp.jar
Disabling lookups via properties has been implemented with LOG4J2-2109 and is available since Log4j 2.10 .
Log4j below 2.10
Remove the JndiLookup class from the classpath. For example, you can run a command like below to remove the class from the log4j-core. This needs to be done for each application that includes log4j in the jar file.
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Also worth reading on mitigation
https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/ https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
solution3
0 2021-12-14 19:31:25
I recommend always checking the official site, since version 2.16.0 was released today
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.