-2

Our system is a microservices-based system. It has more than 120 services. We were advised to upgrade the log4j version in our microservices to 2.16.0 to mitigate the recent log4j vulnerability. Currently, our services use the 2.11.2 version. Can't we just use -Dlog4j2.formatMsgNoLookups=true to mitigate these vulnerabilities.

JIST
  • 1,139
  • 2
  • 8
  • 30
Keaz
  • 955
  • 1
  • 11
  • 21
  • 1
    Usually upgrading a dependency version is way easier than promoting a flag that might require to be configured everywhere (several configs, scripts, etc, etc, etc). Additionally, having upgraded to 2.16.0 you wouldn't even care the value of the flag. (N.B. Opt-out flags like that are awful.) – terrorrussia-keeps-killing Dec 16 '21 at 17:00

1 Answers1

1

Look at the Apache Log4j Security Vulnerabilities page, especially the explanation under the heading "Fixed in Log4j 2.12.2 and Log4j 2.16.0".

It explains that even in 2.15.0, which had the initial fix for CVE-2021-44228, there was a situation possible in which you still had a problem, which has a new ID: CVE-2021-45046

Note that previous mitigations involving configuration such as to set the system property log4j2.formatMsgNoLookups to true do NOT mitigate this specific vulnerability.

To protect yourself against the new CVE, update to 2.16.0.

Jesper
  • 202,709
  • 46
  • 318
  • 350
  • https://arstechnica.com/information-technology/2021/12/patch-fixing-critical-log4j-0-day-has-its-own-vulnerability-thats-under-exploit/ Further pretty severe vulnerability. TL:DR 2.15.0 has additional potentially severe vulnerability, and reco is to patch to 2.16.0 asap. – Taylor Dec 16 '21 at 16:56