Skip to content

How to fix Log4j vulnerability in your Java app?

Log4j is vulnerability that might affect almost all the application that might be using Java. This is because of a library called Log4j which allows JNDI lookup in header field of request without filtering and allows it to directly query the LDAP server. This literally allows the attacker to execute anything on your server without signing in and also attacker would be able to get the environment variables of the server because of this vulnerability. Let us see below on how to fix this vulnearability

WorkAround 1: Add Web Application firewall rules which prevents headers with JNDI content

WorkAround 2: Patch the log4j library to the latest version 2.15.0 (Patch it to 2.16.0 )

WorkAround 3: Disable the log4j library or set the environment variables (The 2nd part might not be effective)

All these workarounds might not be useful as some of the enterprise applications themselves have log4j embedded in their software (E.g Cisco, Redhat etc.,) so your first line of defense is always the Web Application Firewall rules.

The log4j JNDI attack