Skip to content

vorburger/Log4j_CVE-2021-44228

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 

Repository files navigation

Log4j CVE-2021-44228

Solutions

Think about if you actually really require Log4j2 Core. Most likely, your own code (or some 3rd-party library you depend on) only need Log4j's Logging API façade - but can log to another back-end. You could therefore simply completely exclude the org.apache.logging.log4j:log4j-core dependency.

Use one of several available "Logging API Bridges" to connect (only) log4j-api with another Logging Implementation back-end:

  1. Log4j2-SLF4j-Logback using log4j-to-slf4j

  2. Log4j2-to-JUL from LOG4J2-3282 by me, as https://github.com/vorburger/Learning-Log4j2 illustrates.

This makes particular sense if you, or your Cloud Provider, has existing infrastructure for the respective back-end:

Background

Detection & Scanning, Attack Surface

Mitigations

Exploit

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks