How to Mitigate the Critical Apache Log4j 2 Remote Code Execution Vulnerability

Vulnerability Overview

Apache Log4j 2 is a widely used Java logging framework that introduced many features. Certain functions allow recursive lookups, enabling attackers to craft malicious requests that trigger remote code execution.

Impact

The vulnerability can be exploited without special configuration, allowing remote code execution and posing severe risks to many Java applications worldwide.

Affected Versions

All Log4j 2.x versions up to and including 2.14.1 are vulnerable.

Mitigation Steps

Check Java applications for inclusion of the log4j-api and log4j-core JARs; if present, upgrade to the latest version (e.g., 2.15.0‑rc2) available at

https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2

. Also update known affected components such as spring-boot-starter-log4j2, Apache Solr, Apache Flink, Apache Druid, etc.

Emergency Workarounds

If upgrading is not possible immediately, apply the following temporary mitigations:

Set the JVM option -Dlog4j2.formatMsgNoLookups=true.

Configure log4j2.formatMsgNoLookups=True in Log4j settings.

Set the environment variable FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true.