Log4j mitigation

• Previous message (by thread): Log4j mitigation
• Next message (by thread): Log4j mitigation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Dec 11, 2021, at 04:11 , Nick Hilliard <nick at foobar.org> wrote:
> 
> Andy Ringsmuth wrote on 11/12/2021 03:54:
>> The intricacies of Java are over my head, but I’ve been reading about this Log4j issue that sounds pretty bad.
>> What do we know about this? What, if anything, can a network operator do to help mitigate this? Or even an end user?
> 
> The payload can be contained in https, so there is no way of detecting / stopping this at the network level.  Installations need to be upgraded / fixed.
> 
> https://logging.apache.org/log4j/2.x/security.html
> 
> 1. upgrade log4j to 2.15.0 and restart all java apps
> 2. start java with "-D log4j2.formatMsgNoLookups=true" (v2.10+ only)
> 3. start java with "LOG4J_FORMAT_MSG_NO_LOOKUPS=true" environment variable (v2.10+ only)
> 4. zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
> 
> There's a lot of scanning going on at the moment, so if you have an exposed java instance running something which includes log4j2, you may already be compromised.
> 
> Nick

Alternatively, this incantation solved the problem on my linux server:

rpm -e log4j12 ant-apache-log4j log4j


Owen

• Previous message (by thread): Log4j mitigation
• Next message (by thread): Log4j mitigation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]