nanog mailing list archives

Re: Log4j mitigation

From: Owen DeLong via NANOG <nanog () nanog org>
Date: Wed, 15 Dec 2021 19:03:14 -0800

On Dec 14, 2021, at 14:43 , Nick Hilliard <nick () foobar org> wrote:

The log4j people have updated their security advisory to say that these two mitigation measures are not sufficient to 
protect against the recent vulnerability:

2. start java with "-D log4j2.formatMsgNoLookups=true" (v2.10+ only)
3. start java with "LOG4J_FORMAT_MSG_NO_LOOKUPS=true" environment variable (v2.10+ only)


The current recommended fixes are:

1. upgrade to 2.16.0 (not 2.15.0), or
2. remove the JndiLookup.class file from log4j-core-*.jar

More details on: https://logging.apache.org/log4j/2.x/security.html

Nick


The difficulty is that as others have pointed out, log4j (for better or (mostly) worse) tends to get incorporated
into other JARs, so merely upgrading the system package is insufficient.

Since I had to do a full search through the entire system for all JARs containing log4j routines, and I didn’t
find anything I was unwilling to give up in that search (the only thing that sort of came close was the Arduino
IDE), I simply nuked everything found in the search (and anything that depended on such things) and feel
that my system is better off for it.

YMMV.

Owen

Current thread:

Re: Log4j mitigation, (continued)
- - - Re: Log4j mitigation A Crisan (Dec 13)
    - Re: Log4j mitigation Mike Hammett (Dec 13)
    - Re: Log4j mitigation Karl Auer (Dec 13)
    - Re: Log4j mitigation Andy Ringsmuth (Dec 13)
  - Re: Log4j mitigation Owen DeLong via NANOG (Dec 13)
    - Re: Log4j mitigation Doug McIntyre (Dec 14)
    - Re: Log4j mitigation Tyler Conrad (Dec 14)
    - Re: Log4j mitigation Owen DeLong via NANOG (Dec 14)
    - Re: Log4j mitigation Owen DeLong via NANOG (Dec 14)
  - Re: Log4j mitigation Nick Hilliard (Dec 14)
    - Re: Log4j mitigation Owen DeLong via NANOG (Dec 15)
- Re: Log4j mitigation Stefan Bethke (Dec 11)