Fixed in Log4j 2.15.0
Versions Affected: all versions from 2.0-beta9 to 2.14.1
How to Mitigate CVE-2021-44228
To mitigate the following options are available (see the advisory from Apache here):
- Upgrade to log4j v2.15.0
- If you are using log4j v2.10 or above, and cannot upgrade, then set the property log4j2.formatMsgNoLookups=true
- Or remove the JndiLookup class from the classpath. For example, you can run a command like zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
to remove the class from the log4j-core.
If the Answer is helpful, please click Accept Answer
and up-vote, so that it can help others in the community looking for help on similar topics.