Log4J exploit and VM parameter log4j2.formatMsgNoLookups

Message Boards

Andre Albert, modified 2 Years ago.

Log4J exploit and VM parameter log4j2.formatMsgNoLookups

New Member Posts: 14 Join Date: 3/28/14 Recent Posts

Hello,

Liferay wrote an article about the log4j eploit (https://help.liferay.com/hc/en-us/articles/4416190497805) and one statement is that setting the VM Launch parameter

-DLog4j2.formatMsgNoLookups=true

will fix it.

Is it save to have it with an uppercased L because on the web, it is said that

-Dlog4j2.formatMsgNoLookups=true

will fix it. As far as i know, System parameters are case sensitive. So it save, or should i rather use the lowercase log4j2.formatMsgNoLookups?

application security

Tomáš Polešovský, modified 2 Years ago.

RE: Log4J exploit and VM parameter log4j2.formatMsgNoLookups (Answer)

Liferay Master Posts: 676 Join Date: 2/13/09 Recent Posts

Hello Andre,

I just tried and any of them works and protects:

-DLog4j2.formatMsgNoLookups=true

-Dlog4j2.formatMsgNoLookups=true

Log4j has a special lookups tables ... https://github.com/apache/logging-log4j2/blob/50979afd30cb575ba743c25847b62f52414b1d3a/log4j-api/src/main/java/org/apache/logging/log4j/util/PropertiesUtil.java#L482-L498

Andre Albert, modified 2 Years ago.

RE: RE: Log4J exploit and VM parameter log4j2.formatMsgNoLookups

New Member Posts: 14 Join Date: 3/28/14 Recent Posts

Many thanks Tomas for clarification on this.

Best regards Andre