Here we will discuss the steps to be considered to respond to log4j vulnerability. It’s of utmost importance to respond quickly to this simple but very dangerous vulnerability in log4j. If your project uses java and has log4j in its dependency tree, please take corrective measures as soon as possible
Thanks to MalwareBytes post which shared a lot of details
Problem with log4j
log4j version 2.0-beta9 to 2.14.1 have a vulnerability which allows a remote LDAP server to inject malicious code into the application and execute it at the same privilege as application user.
Good news
log4j version 2.15.0 is not impacted and if that’s your version, then you can skip the rest of this article
How to fix vulnerability
log4j version 2.10.0 and higher
Add VM argument ‐Dlog4j2.formatMsgNoLookups=True
log4j version less than 2.10.0
Upgrade your log4j* package to 2.17.0
Upgrading your package (provided steps for maven)
- Upgrade log4j to the latest version if the pom.xml file contains log4j explicitly mentioned
- We can find the dependency that brings in log4j using mvn dependency:tree
Once we’ve identified the parent, then we can do the following
- Upgrade to latest version which bring in log4j version 2.15.0 or higher
- Perform following remediation steps if parent does not have a log4j version which can fix the issue
[INFO] | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.4.5:compile
[INFO] | | | +- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] | | | | \- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compileoutput of mvn depedency:tree
[INFO] | | | | \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile
Here spring-boot-starter-logging:jar:2.4.5 is the jar that’s bringing in log4j
The latest version of spring-boot-starter-logging is 2.6.1 released in Nov 2021
It uses log4j* version 2.14.1
This means we need to wait for latest spring-boot-started-logging version to have a good fix.
Till then we need to add -Dlog4j2.formatMsgNoLookups=true to the java process
If you use Docker with EntryPoint
ENTRYPOINT [“java”,”-Dlog4j2.formatMsgNoLookups=true”,”-jar”,”/path/my-app.jar”]
If the application has a wrapper script which invokes the java process, then the script can include the VM argument -Dlog4j2.formatMsgNoLookups=true
There could be more complicated fixes like excluding the particular dependency and adding log4j explicitly as a dependency, however these would need more careful analysis and testing. Please proceed into these routes if it’s essential.
Updates
Upgrade to version 2.17.0 – advisory from log4j here
Effective logging practices
Refer to logging best practices