Log4j 2 Vulnerability Overview and Mitigation Measures

Apache Log4j 2 is a widely used Java logging framework that, due to a recursive lookup feature, allows attackers to craft malicious requests that trigger remote code execution.

The vulnerability requires no special configuration and can affect any Java application that includes the log4j-api and log4j-core JARs, making it highly dangerous.

All Log4j 2.x versions ≤ 2.14.1 are vulnerable.

Recommended permanent fix: upgrade all affected applications to the latest Log4j 2.15.0‑rc1 release (https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc1) and update any dependent components such as spring‑boot‑starter‑log4j2, Apache Solr, Flink, Druid, etc.

If an immediate upgrade is not possible, apply the following emergency mitigations:

Set the JVM option -Dlog4j2.formatMsgNoLookups=true.

Modify Log4j2 configuration to include log4j2.formatMsgNoLookups=True.

Set the environment variable FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS to true.