dev-resources.site
for different kinds of informations.
Verify an application has picked up a java property
Published at
12/16/2021
Categories
log4shell
java
log4j
log4j2
Author
sineaggi
Author
8 person written this
sineaggi
open
NOTE: This was written in response to the log4shell vulnerability CVE-2021-44228. -Dlog4j2.noFormatMsgLookup=true is not effective at mitigating the second of the two log4j vulnerabilities, CVE-2021-45046.
I've noticed these past few days people have been asking how to validate if a system property has been set.
Simple method (no code change)
The simplest method would be to add -Dlog4j2.noFormatMsgLookup=true to your JAVA_TOOL_OPTIONS environment variable, then verify that on startup you see the line
Picked up JAVA_TOOL_OPTIONS: -Dlog4j2.formatMsgNoLookups=true
printed to the console.
Code change method
The second way would be to check the system property itself, and print it out on startup. One example would be
System.out.println("log4j2.formatMsgNoLookups=" + System.getProperty("log4j2.formatMsgNoLookups"));
then validating
log4j2.formatMsgNoLookups=true
is printed to the console.
log4j2 Article's
8 articles in total
Is your Java log utility class reporting itself as the source of your logs? Learn how to fix it!
read article
Maven Resource Filtering: injecting POM' properties in your resources
read article
LogMasker - OpenSource masking library for Java
read article
Log4Shellย : JNDI Injection via Attackable Log4J
read article
Log4Shell - Explorando um servidor Java vulnerรกvel
read article
Verify an application has picked up a java property
currently reading
Kotlin SpringBoot configure Apache Log4j2
read article
How to make a custom message converter for Log4J2
read article
Featured ones: