How to Identify and Mitigate Risks Associated with the Log4j Vulnerability

Most people know by now about the critical vulnerability in Log4j. The risk of this vulnerability is the ability for remote attackers to run arbitrary code on any application that uses Log4j, and it is already being actively exploited. 

You can find additional information and resources about the vulnerability on the CISA.gov website here. 

There are 3 options available to mitigate the Log4j vulnerability risk: 

1. Upgrade to Log4j v2.16.0 

2. If you are using Log4j v2.10 or above, and cannot upgrade, then set the property: 

log4j2.formatMsgNoLookups=true 

Additionally, an environment variable can be set for these same affected versions: 

LOG4J_FORMAT_MSG_NO_LOOKUPS=true 

3. Or remove the JndiLookup class from the classpath. For example, you can run a command like: 

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class 

to remove the class from the log4j-core. 

If you need assistance detecting Log4j in your web applications, FortifyData is offering a Free Vulnerability Risk Assessment to help organizations and/or their third-party vendors find Log4j and other critical vulnerabilities. All we need is the company name and domain to quickly complete our industry leading attack surface assessment for you and or/your critical vendors. You can register for your Assessment here. 

Related Posts