Mitigation Strategy: Upgrade Log4j 2 Library
-
1. Mitigation Strategy: Upgrade Log4j 2 Library
-
Description:
- Identify Dependencies: Use dependency management tools (Maven:
mvn dependency:tree, Gradle, etc.) to find all direct and transitive uses of Log4j 2. - Check Current Version: Determine the exact version(s) of Log4j 2 currently in use.
- Identify Latest Secure Version: Refer to the official Apache Log4j 2 security page (https://logging.apache.org/log4j/2.x/security.html) for the latest secure version compatible with your Java environment (Java 6, 7, 8+).
- Update Dependency Declarations: Modify your project's build files (e.g.,
pom.xml,build.gradle) to explicitly require the latest secure version of Log4j 2. Update all instances. - Resolve Conflicts: Address any dependency conflicts. You may need to exclude older, vulnerable versions of Log4j 2 brought in by other libraries and force the use of the newer version.
- Rebuild and Test: Rebuild the application and execute comprehensive automated and manual tests. Focus on logging functionality and overall application stability.
- Deploy: Deploy the updated application to all environments.
- Monitor: Monitor application logs and performance post-deployment.
- Identify Dependencies: Use dependency management tools (Maven:
-
Threats Mitigated:
- CVE-2021-44228 (Log4Shell): Remote Code Execution (RCE) - Critical Severity. Patched versions remove the vulnerable JNDI lookup functionality.
- CVE-2021-45046: Denial of Service (DoS) and limited RCE (non-default configurations) - High Severity. Addressed by further updates.
- CVE-2021-45105: Denial of Service (DoS) - High Severity. Fixed in later versions.
- Other Vulnerabilities: Upgrading addresses any other known and patched security issues.
-
Impact:
- CVE-2021-44228: Risk reduced from Critical to Negligible (eliminated).
- CVE-2021-45046: Risk reduced from High to Negligible.
- CVE-2021-45105: Risk reduced from High to Negligible.
- Other Vulnerabilities: Risk significantly reduced.
-
Currently Implemented: Partially.
service-aupgraded to 2.17.1.reporting-moduleremains at 2.14.1. -
Missing Implementation: Upgrade
reporting-module. Verify all third-party libraries use secure Log4j 2 versions.
-
Mitigation Strategy: Disable JNDI Lookups
-
2. Mitigation Strategy: Disable JNDI Lookups
-
Description:
- Identify Deployment Method: Determine how the application is started (standalone JAR, WAR, container, etc.).
- JVM Argument (Preferred): Add
-Dlog4j2.formatMsgNoLookups=trueto the Java command line. This is the most reliable method. The specific steps depend on the deployment:- Standalone JAR: Modify the startup script.
- Application Server (Tomcat, etc.): Update server configuration files (e.g.,
setenv.sh,catalina.properties). - Docker: Add to
JAVA_OPTSin the Dockerfile or docker-compose file.
- Environment Variable (Alternative): Set the environment variable
LOG4J_FORMAT_MSG_NO_LOOKUPS=true. Less reliable than JVM arguments. - Programmatic Setting (Least Reliable): As a last resort, attempt:
System.setProperty("log4j2.formatMsgNoLookups", "true");in the application code. This may be too late to be effective. - Verification: Crucially, verify the setting is active. Check logs for messages indicating lookups are disabled, or attempt a JNDI lookup (in a controlled environment) to confirm failure.
- Apply Consistently: Ensure this setting is applied to all application instances and dependencies.
-
Threats Mitigated:
- CVE-2021-44228 (Log4Shell): Remote Code Execution (RCE) - Critical Severity. Disables the core vulnerable functionality.
- CVE-2021-45046: DoS and limited RCE - High Severity. Also mitigated.
-
Impact:
- CVE-2021-44228: Risk reduced from Critical to Low (significantly reduced, but not eliminated if misconfigured or if older Log4j 2 versions don't fully respect the setting).
- CVE-2021-45046: Risk reduced from High to Low.
- CVE-2021-45105: Not directly mitigated.
-
Currently Implemented: No.
-
Missing Implementation: Implement as a defense-in-depth measure across all components, especially
reporting-module. Add the JVM argument to startup scripts.
-
Mitigation Strategy: Remove JndiLookup Class
-
3. Mitigation Strategy: Remove
JndiLookupClass-
Description:
- Locate JAR Files: Find all JAR files containing the Log4j 2 core library (
log4j-core-*.jar). - Backup: Always create backups of the original JAR files before modification.
- Remove the Class: Use the
zipcommand (or equivalent on Windows) to delete theJndiLookup.classfile:Repeat for every relevant JAR file.zip -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class - Replace Original JAR: Replace the original
log4j-core-*.jarfiles with the modified versions. - Test Thoroughly: Extensively test the application to ensure correct functionality. Focus on any areas that might have (unusually) used JNDI.
- Document: Clearly document this non-standard modification.
- Locate JAR Files: Find all JAR files containing the Log4j 2 core library (
-
Threats Mitigated:
- CVE-2021-44228 (Log4Shell): Remote Code Execution (RCE) - Critical Severity. Removes the vulnerable code entirely.
- CVE-2021-45046: DoS and limited RCE - High Severity. Also mitigated.
-
Impact:
- CVE-2021-44228: Risk reduced from Critical to Negligible (eliminated).
- CVE-2021-45046: Risk reduced from High to Negligible.
- CVE-2021-45105: Not directly mitigated.
-
Currently Implemented: No. Last resort.
-
Missing Implementation: Consider for
reporting-moduleonly if upgrading is impossible. Upgrading is strongly preferred.
-
Mitigation Strategy: Limit Logging of User-Controlled Input (Log4j2 configuration)
-
4. Mitigation Strategy: Limit Logging of User-Controlled Input (Log4j2 configuration)
-
Description:
- Review Log4j2 Configuration: Examine your
log4j2.xml(or other configuration file format) to identify patterns and appenders. - Modify Patterns: Adjust the patterns used in your appenders (especially
PatternLayout) to avoid logging potentially dangerous input directly. For example, instead of logging the entire message (%m), consider logging only specific, sanitized parts of the message. Use custom message objects or structured logging to control what gets logged. - Use Filters: Implement Log4j 2 filters to selectively filter out log events based on their content. You could create a custom filter that checks for potentially malicious patterns (like
${jndi:) and prevents those events from being logged. This is more robust than just modifying the pattern. - Context Map Filtering: If you're using the Thread Context Map (MDC), be very careful about what you put in the MDC, as it's often included in log messages. Avoid putting user-supplied data directly into the MDC.
- Test Configuration Changes: After making any changes to your Log4j 2 configuration, thoroughly test to ensure that logging still works as expected and that the changes effectively mitigate the risk.
- Review Log4j2 Configuration: Examine your
-
Threats Mitigated:
- CVE-2021-44228 (Log4Shell): Remote Code Execution (RCE) - Critical Severity. Reduces the attack surface by controlling what data is processed by Log4j 2's vulnerable components.
- Other Injection Attacks: Can help mitigate other injection attacks that might leverage logging.
-
Impact:
- CVE-2021-44228: Risk reduced from Critical to High (reduces the likelihood of triggering the vulnerability, but doesn't eliminate it).
- Other Injection Attacks: Reduces risk.
-
Currently Implemented: Partially. Some patterns have been reviewed, but a comprehensive review of the Log4j 2 configuration and the implementation of filters are needed.
-
Missing Implementation: A full review of
log4j2.xmlis required. Custom filters should be implemented to specifically check for and block potentially malicious log messages. The use of the MDC needs to be carefully reviewed.
-