Mitigating the Critical Log4j 2 Remote Code Execution Flaw: Updates and Emergency Fixes

1. Vulnerability Overview

Apache Log4j 2 is a widely used Java logging framework that introduced many advanced features. Certain recursive lookup functions allow attackers to craft malicious requests that trigger a remote code execution vulnerability.

2. Impact

The exploit requires no special configuration; attackers can directly send malicious requests to achieve remote code execution.

3. Vulnerability ID

None currently assigned.

4. Affected Scope

Apache Log4j 2.x ≤ 2.14.1

5. Remediation Measures

Check Java applications for the presence of log4j-api and log4j-core JARs. If they are used, the application is likely vulnerable and should be protected promptly.

Upgrade all affected Log4j 2 components to the latest version log4j-2.15.0-rc2. Download from GitHub release .

Upgrade known affected applications and components, such as:

spring-boot-strater-log4j2

Apache Solr

Apache Flink

Apache Druid

6. Emergency Mitigation Steps

If updating is not possible, apply the following temporary mitigations:

Set JVM parameter -Dlog4j2.formatMsgNoLookups=true.

Modify configuration to include log4j2.formatMsgNoLookups=True.

Set the system environment variable FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS to true.