BestHub
Sign in
Information Security 6 min read

How to Patch the Apache Log4j2 Vulnerability in Dble

This guide explains four remediation methods for the Log4j2 security flaw in Dble, including upgrading to Log4j2 2.16.0, adding a configuration property, adjusting JVM parameters for older versions, and setting a system environment variable, with detailed step‑by‑step instructions and code snippets.

Aikesheng Open Source Community
Aikesheng Open Source Community
Aikesheng Open Source Community
How to Patch the Apache Log4j2 Vulnerability in Dble

Dble relies on many component JAR files, so when a component such as Apache Log4j2 has a security vulnerability, an urgent fix is required.

Apache Log4j2

Security vulnerability details: https://nosec.org/home/detail/4917.html

Remediation Options

⚠️ Option 1: Upgrade Log4j2. As of 2021‑12‑14 11:00 Beijing time, Log4j officially released version 2.16.0 (see release notes: https://github.com/apache/logging-log4j2/blob/rel/2.16.0/RELEASE-NOTES.md).

⚠️ Options 2‑4 are temporary bypasses; they work for all Dble versions but may have side effects. Option 2 is recommended.

1. Upgrade Log4j2 Component

Dble versions 2.19.07.x – 3.21.10.x are supported. Versions prior to 2.19.07.x require manual replacement and are no longer officially supported.

Impact: Dble must be restarted.

Steps:

1.1 Stop Dble.

1.2 Backup the existing Log4j JAR files on the Dble server and move them to /tmp/ .

The /path/to/dble/lib directory contains four JAR files that need to be replaced:

log4j-1.2-api-2.13.1.jar

log4j-api-2.13.1.jar

log4j-core-2.13.1.jar

log4j-slf4j-impl-2.13.1.jar

Execute the following commands:

mv log4j-1.2-api-2.13.1.jar log4j-1.2-api-2.13.1.jar.bak
mv log4j-1.2-api-2.13.1.jar.bak /tmp/

1.3 Download the Log4j 2.16.0 JAR files from the Maven repository (e.g., https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.16.0/) and upload them to /path/to/dble/lib , adjusting permissions as needed.

1.4 Repeat steps 1.2 and 1.3 for the remaining three JAR files.

1.5 Start Dble.

2. Add Configuration File

Applicable to all Dble versions (the change requires a restart).

Place a new file log4j2.component.properties under the Dble configuration directory /path/to/dble/conf with the following content:

log4j2.formatMsgNoLookups=True

Verify that the property is loaded after restarting Dble; it will not take effect without a restart.

3. Modify JVM Parameters (for Dble < 3.20.07.0)

Versions 3.20.07.0 and later restrict JVM parameters, so this method is not supported for them.

Impact: Dble must be restarted.

Steps:

Add the following line to /path/to/dble/conf/wrapper.cof (replace the index number as appropriate):

wrapper.java.additional.14=-Dlog4j2.formatMsgNoLookups=true

Check whether the parameter is active with:

ps aux|grep dble|grep 'formatMsgNoLookups'

4. Set System Environment Variable

Set FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true as a system environment variable. This method is not recommended.

---

Keywords: #dble# #log4j# #log4j2# #vulnerability# #security#

Javasecurity patchVulnerability Mitigationlog4j2DBLE
Aikesheng Open Source Community
Written by

Aikesheng Open Source Community

The Aikesheng Open Source Community provides stable, enterprise‑grade MySQL open‑source tools and services, releases a premium open‑source component each year (1024), and continuously operates and maintains them.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment