How to mitigate the Apache Log4j vulnerability (CVE-2021-44228)

How to mitigate the Apache Log4j vulnerability (CVE-2021-44228)

Log4j is a Java-based logging framework used by most Java applications. A vulnerability was discovered in Apache Log4j2 2.14.1 and below that allows remote code execution. Attackers can leverage this vulnerability to take full control of a vulnerable machine. This is classified as a zero-day attack, which means it needs to be mitigated immediately.

The Log4j vulnerability was discovered on December 9th. Here’s what you can do.

Impact version

  • Apache Log4j 2.x <= 2.15.0-rc1

Temporary fix

  • In releases >=2.10, set the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
  • In releases 2.0-beta9 to 2.10.0, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

Permanent fix

  • Upgrade the log4j library to version 2.15.0 or higher

Resources