manually remove apache jndilookup class to migrate the risk?

Locate the log4j jar inside the product based on the version of the jar oracle provide the below remediations . apply it to safe guard the system

For Log4j versions 2.10 and later:

  • set the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true

For Log4j versions between 2.7 and 2.14.1:

  • all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m

For Log4j versions between 2.0-beta9 and 2.10.0:

  • remove the JndiLookup class from the classpath. For example: 
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *