Sun. Sep 25th, 2022

Here we will discuss the steps to be considered to respond to log4j vulnerability. It’s of utmost importance to respond quickly to this simple but very dangerous vulnerability in log4j. If your project uses java and has log4j in its dependency tree, please take corrective measures as soon as possible

Thanks to MalwareBytes post which shared a lot of details

Problem with log4j

log4j version 2.0-beta9 to 2.14.1 have a vulnerability which allows a remote LDAP server to inject malicious code into the application and execute it at the same privilege as application user.

Good news

log4j version 2.15.0 is not impacted and if that’s your version, then you can skip the rest of this article

How to fix vulnerability

log4j version 2.10.0 and higher

Add VM argument ‐Dlog4j2.formatMsgNoLookups=True

log4j version less than 2.10.0

Upgrade your log4j* package to 2.17.0

Upgrading your package (provided steps for maven)

  • Upgrade log4j to the latest version if the pom.xml file contains log4j explicitly mentioned
  • We can find the dependency that brings in log4j using mvn dependency:tree

Once we’ve identified the parent, then we can do the following

  • Upgrade to latest version which bring in log4j version 2.15.0 or higher
  • Perform following remediation steps if parent does not have a log4j version which can fix the issue

[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.4.5:compile

[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.2.3:compile

[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.2.3:compile

[INFO] |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile

[INFO] |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile

output of mvn depedency:tree

Here spring-boot-starter-logging:jar:2.4.5 is the jar that’s bringing in log4j

The latest version of spring-boot-starter-logging is 2.6.1 released in Nov 2021

It uses log4j* version 2.14.1

This means we need to wait for latest spring-boot-started-logging version to have a good fix.

Till then we need to add -Dlog4j2.formatMsgNoLookups=true to the java process

If you use Docker with EntryPoint

ENTRYPOINT [“java”,”-Dlog4j2.formatMsgNoLookups=true”,”-jar”,”/path/my-app.jar”]

If the application has a wrapper script which invokes the java process, then the script can include the VM argument -Dlog4j2.formatMsgNoLookups=true

There could be more complicated fixes like excluding the particular dependency and adding log4j explicitly as a dependency, however these would need more careful analysis and testing. Please proceed into these routes if it’s essential.

Updates

Upgrade to version 2.17.0 – advisory from log4j here

Effective logging practices

Refer to logging best practices

Leave a Reply

Your email address will not be published. Required fields are marked *