Log4J exploit and VM parameter log4j2.formatMsgNoLookups

Andre Albert, modified 3 Years ago.

New Member Posts: 14 Join Date: 3/28/14 Recent Posts

Hello,

Liferay wrote an article about the log4j eploit (https://help.liferay.com/hc/en-us/articles/4416190497805) and one statement is that setting the VM Launch parameter

-DLog4j2.formatMsgNoLookups=true

will fix it.

Is it save to have it with an uppercased L because on the web, it is said that

-Dlog4j2.formatMsgNoLookups=true

will fix it. As far as i know, System parameters are case sensitive. So it save, or should i rather use the lowercase log4j2.formatMsgNoLookups?

application security

Andre Albert, modified 3 Years ago.

RE: Log4J exploit and VM parameter log4j2.formatMsgNoLookups (Answer)

Liferay Master Posts: 677 Join Date: 2/13/09 Recent Posts

Hello Andre,

I just tried and any of them works and protects:

-DLog4j2.formatMsgNoLookups=true

-Dlog4j2.formatMsgNoLookups=true

Log4j has a special lookups tables ... https://github.com/apache/logging-log4j2/blob/50979afd30cb575ba743c25847b62f52414b1d3a/log4j-api/src/main/java/org/apache/logging/log4j/util/PropertiesUtil.java#L482-L498

Andre Albert, modified 3 Years ago.

RE: RE: Log4J exploit and VM parameter log4j2.formatMsgNoLookups

New Member Posts: 14 Join Date: 3/28/14 Recent Posts

Many thanks Tomas for clarification on this.

Best regards Andre

Community

Company

Feedback

Ask Questions and Find Answers

Important:

Ask is now read-only. You can review any existing questions and answers, but not add anything new.

But - don't panic! While ask is no more, we've replaced it with discuss - the new Liferay Discussion Forum! Read more here here or just visit the site here:

discuss.liferay.com

Log4J exploit and VM parameter log4j2.formatMsgNoLookups