README_en.md

CVE-2021-44228 Log4j2 JNDI RCE Mitigation

Chinese version

Usage

1. Locate log4j2-core component under deploy path

   find . -name '*log4j-core*.jar'
   

2. Apply mitigation against log4j2-core JARs found above

   • Method 1: Use zip command to remove JndiLookup.class from the JAR (recommended)

     zip -q -d 'JAR_path_here' org/apache/logging/log4j/core/lookup/JndiLookup.class
     

   • Method 2: Replace your JAR with patched JAR from this repo (under log4j2-core/ directory)
     All JARs included in this repo comes from maven, with JndiLookup.class removed and no further modification.
     You can replace your JAR safely if the filename matches.

3. Restart you application for the mitigation to become effective.

How does it work?

To improve compatibility on some JRE that does not provide JNDI, changeset LOG4J2-703 wraps ${jndi:xxx} registration with try/catch. When JndiLookup instansiation failed, there will be only warning log instead of throw an exception. We can effectively stop ${jndi:xxx} handler from registering by removing JndiLookup.class file, thus avoid triggering the vulnerability.

• This mitigation applies to all stable release of log4j2, while log4j2.formatMsgNoLookups option only applies to log4j2 ≥ 2.10
• This mitigation does not disable all lookups, the functionality of ${date:xxx}, ${ctx:xxx}, etc are preserved.
• Sometimes modification to log4j2.xml / log4j2.properties / -classpath are not trivial, or may be overridden on runtime. Modifying JAR is much simpler and effective.

Acknowledge

This mitigation was acknowledged by log4j2 team:

Thank you @zhangyoufu for the suggested workaround for older versions of log4j to remove the JndiLookup.class class! The team likes your idea and we will include the workaround you suggested in the release notes and announcement email. Many thanks!

Reference

• https://nvd.nist.gov/vuln/detail/CVE-2021-44228
• https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
• https://logging.apache.org/log4j/2.x/security.html
• https://mail-archives.apache.org/mod_mbox/www-announce/202112.mbox/%3C643bc702-4b46-411b-4980-1fcf637dbb11@apache.org%3E
• apache/logging-log4j2#608
• https://github.com/tangxiaofeng7/apache-log4j-poc

Other mitigations

• https://github.com/Glavo/log4j-patch (override original implementation by prepend it into classpath)
• https://github.com/LoliKingdom/NukeJndiLookupFromLog4j (remove "jndi" handler on runtime)
• JVM argument -Dlog4j2.formatMsgNoLookups=true or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true (only applies to log4j-core ≥ 2.10)