Log4j mitigation

Nick Hilliard nick at foobar.org
Sat Dec 11 12:11:37 UTC 2021


Andy Ringsmuth wrote on 11/12/2021 03:54:
> The intricacies of Java are over my head, but I’ve been reading about this Log4j issue that sounds pretty bad.
> 
> What do we know about this? What, if anything, can a network operator do to help mitigate this? Or even an end user?

The payload can be contained in https, so there is no way of detecting / 
stopping this at the network level.  Installations need to be upgraded / 
fixed.

https://logging.apache.org/log4j/2.x/security.html

1. upgrade log4j to 2.15.0 and restart all java apps
2. start java with "-D log4j2.formatMsgNoLookups=true" (v2.10+ only)
3. start java with "LOG4J_FORMAT_MSG_NO_LOOKUPS=true" environment 
variable (v2.10+ only)
4. zip -q -d log4j-core-*.jar 
org/apache/logging/log4j/core/lookup/JndiLookup.class

There's a lot of scanning going on at the moment, so if you have an 
exposed java instance running something which includes log4j2, you may 
already be compromised.

Nick


More information about the NANOG mailing list