Mitigation for Docker images affected by Log4j vulnerability


These are the mitigations that can be done for the docker images that are using Log4j library in their Java applications. Though these are effective to a certain extent, the best way to prevent the exploitation is to add Web Application Firewall rules which will prevent JNDI calls using the exploit. The mitigations are listed as follows

By editing Docker file: Add the below in your docker file so that DNS lookups are turned off by default in the container you are running

ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true

By Command line: Run the below command along with your command to run the docker container. It will effectively turn off any DNS lookups.

"-Dlog4j.formatMsgNoLookups=true"

But above all these if you are running containerized applications in production, make sure you put Application firewall rules to block the headers that contain JNDI lookup

Scroll to Top