log4j2 java — Where to put formatMsgNoLookups in log4j XML config file ?

CVE-2021–44228 Log4Shell Vulnerability

If you can, upgrade to log4j2 + Java versions recommended by the security details in Apache logging site. This site has changed since my original post, Log4jShell / JNDI needs >= 2.15.0.

The Apache site suggests workarounds for the JNDI lookup vulnerability reported against earlier releases of Log4j2. IMO: This is such a serious vulnerability, you shouldn’t contemplate these workarounds. Upgrade Log4j jars.

1. Set system property log4j2.formatMsgNoLookups when you launch VM, passing as java -Dlog4j2.formatMsgNoLookups=true ... .
2. Set environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
3. For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the org/apache/logging/log4j/core/lookup/JndiLookup.class from the classpath - see log4j-core-*.jar.
4. replace format pattern %m by %m{nolookups} for some versions

The second point sounds like it would be the quickest to apply as it could be defined once for each user account that runs your application, though I could not find LOG4J_FORMAT_MSG_NO_LOOKUPS when running a grep on the Java source code for 2.14.0 so perhaps this workaround applies to earlier versions.

Certain JDK releases mitigate the risks: JDK greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected due to defaults applied to LDAP lookups. Upgrade where…