Es ist eine kritische Sicherheitslücke in der beliebten Protokollierungsbibliothek für Java-Anwendungen Log4j bekannt geworden. Das BSI weist die zweithöchste Warnstufe rot aus, Microsoft hat am Wochenende einen Guidance und Blogbeitrag mit Hintergrundinformationen veröffentlicht.
Workarounds von Microsoft:
-
In case the Log4j 2 vulnerable component cannot be updated, Log4J 2 versions 2.10 to 2.14.1 support the parameter log4j2.formatMsgNoLookups to be set to ‘true’, to disable the vulnerable feature. Ensure this parameter is configured in the startup scripts of the Java Virtual Machine: -Dlog4j2.formatMsgNoLookups=true.
-
Alternatively, customers using Log4j 2.10 to 2.14.1 may set the LOG4J_FORMAT_MSG_NO_LOOKUPS=”true” environment variable to force this change.
-
Kubernetes administrators may use “kubectl set env” to set the LOG4J_FORMAT_MSG_NO_LOOKUPS=”true” environment variable to apply the mitigation across Kubernetes clusters where the Java applications are running Log4j 2.10 to 2.14.1, effectively reflecting on all pods and containers automatically.
-
For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class