CVE-2021-44228 Log4j : Add JAVA_TOOL_OPTIONS mitigation to Environment variables (Windows)
0 Votes |
Description
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to "true" or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".
While it is very much advised to update all affected applications to make use of the corrected Log4j 2.15.0 or higher; or update the individual application to configure log4j2.formatMsgNoLookups=true, there is at least some measure of attack surface reduction that can be performed system-wide by applying the value to the JAVA_TOOL_OPTIONS environment variable.
This method is limited, as any Java application may override the JAVA_TOOL_OPTIONS environment as part of its startup, but this Fixlet may provide some measure of improvement. Additionaly these may only be effective with specific versions of Java or Log4j.
Guidance on these values is taken from
- https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
- https://docs.oracle.com/javase/8/docs/technotes/guides/troubleshoot/envvars002.html
- http://mail-archives.apache.org/mod_mbox/flink-user/202112.mbox/%3Cf04c6b32-1073-a002-3633-bf4af981bf08@apache.org%3E
This Fixlet applies the following Envrionment Variable values on Windows:
- JAVA_TOOL_OPTIONS = -Dlog4j.formatMsgNoLookups=true (preserving any existing entries)
- JDK_JAVA_OPTIONS = -Dlog4j.formatMsgNoLookups=true (preserving any existing entries)
- _JAVA_OPTIONS = -Dlog4j.formatMsgNoLookups=true (preserving any existing entries)
- LOG4J_FORMAT_MSG_NO_LOOKUPS = true (overwriting any existing entry)
Property Details
26898 | |
Alpha - Code that was just developed | |
CVE-2021-44228 Log4j : Add JAVA_TOOL_OPTIONS mitigation to Environment variables (Windows) | |
BESC | |
Internal | |
12/13/2021 12:00:00 AM | |
CVE, CVE-2021-44228, Log4j, vulnerability, environment, windows | |
JasonWalker on 12/14/2021 9:51:29 AM | |
JasonWalker on 12/14/2021 9:51:29 AM | |
830 Views / 22 Downloads | |
![]() ![]() ![]() ![]() ![]() |
Relevance

Used in 1 fixlet | * Results in a true/false |

Actions
Action 1 (default)
action uses wow64 redirection {not x64 of operating system}
if {not exists values "JAVA_TOOL_OPTIONS" whose (it as string contains "-Dlog4j.formatMsgNoLookups=true") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" of registry as string}
waithidden cmd.exe /c "setx /M JAVA_TOOL_OPTIONS "-Dlog4j.formatMsgNoLookups=true {value "JAVA_TOOL_OPTIONS" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" of registry as string | ""}""
endif
if {not exists values "JDK_JAVA_OPTIONS" whose (it as string contains "-Dlog4j.formatMsgNoLookups=true") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" of registry as string}
waithidden cmd.exe /c "setx /M JDK_JAVA_OPTIONS "-Dlog4j.formatMsgNoLookups=true {value "JDK_JAVA_OPTIONS" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" of registry as string | ""}""
endif
if {not exists values "_JAVA_OPTIONS" whose (it as string contains "-Dlog4j.formatMsgNoLookups=true") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" of registry as string}
waithidden cmd.exe /c "setx /M _JAVA_OPTIONS "-Dlog4j.formatMsgNoLookups=true {value "_JAVA_OPTIONS" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" of registry as string | ""}""
endif
if {not exists values "LOG4J_FORMAT_MSG_NO_LOOKUPS" whose (it as string = "true") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" of registry as string}
waithidden cmd.exe /c "setx /M LOG4J_FORMAT_MSG_NO_LOOKUPS "true""
endif
This action will be considered successful when the applicability relevance evaluates to false.
Sharing
Social Media: |