stackoom
  简体   繁体   中英

JAVA formatMsgNoLookups option (CVE-2021-44228)

 原文  2021-12-12 10:23:53       java

Question

When I run

$ java -XX:+UnlockDiagnosticVMOptions -XX:+PrintFlagsFinal -version | grep -i formatMsgNoLookups

I get no formatMsgNoLookups option in output. Does it mean I am not vulnerable to CVE-2021-44228?

1 answers

solution1
 1 ACCPTED  2021-12-12 10:35:53

You are conflating things. log4j2.formatMsgNoLookups is a system property which is picked up by the log4j2 logging library. It is not a JVM flag and won't be printed by -XX:+PrintFlagsFinal . If it is enabled, then log4j2 doesn't perform lookups from the format message, which mitigates the vulnerability by disabling this attack vector.

You can only be vulnerable to CVE-2021-44228 if you are actually using log4j2 in your Java application. Let me repeat that: your application is what's vulnerable, not the Java or the JVM itself. On the same JVM, one application can be vulnerable, while another isn't.

(And if it were, the absence of it would rather indicate the opposite: you are vulnerable)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Logs with java.util.logger are affected by CVE-2021-44228? IBM java get defaults (to mitigate CVE-2021-44228 Leveraging Java's sandbox to mitigate CVE-2021-44228( log4j2 remote code execution)? Java CVE-2021-26291 on maven-core-3.0.jar maven-core-3.1.0.jar CVE mapping to Java library LOG4J JNDI attack CVE-2021-45105 wso2 vulnerability How to check for CVE s in java jar file zip -d log4j-1.X.jar not working (log4j 1.X vulnerability CVE-2021-4104 ) how to convert docx files into PDF using Java in 2021? Why is java.util.Calendar returning 31 for Feb 2021?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM