confirming Log4j usages, classes refer Log4j using -verbose:class option

the Log4j Security Vulnerabilities

the Log4j Security Vulnerabilities are the biggest concern among Java developers. There is no privilege escalation, but every operation available to the user running the JVM process is available to the attacker fairly easily. Dealing with the issue is a MUST.

There is a chance that your system is not affected by the issue, but it’s better to update to Log4j 2.15.0+ to ensure that your system is safe.

Note that Log4j 1.x is EOL’d years ago. It’s time to migrate to Log4j 2.x.

Not sure I’m using Log4j or not

If you don’t know if Log4j is used or not, set log4j2.formatMsgNoLookups system property, or LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true, and restart your system to work around the issue.

Conforming Log4j usages

You might be able to confirm Log4j usages by browsing pom.xml or build.gradle. But there is a huge chance that some of the depending libraries are depending on Log4j, or dynamically loaded plugins come with Log4j.

The class causing the issue is org.apache.logging.log4j.core.lookup.JndiLookup. You can check if your system is using Log4j, by checking the class, org.apache.logging.log4j.LogManager, or org.apache.logging.log4j.Logger which are the starting point of Log4j are loaded.

You can check the class loader log with -verbose:class JVM option. Technically this option will slightly slow down the startup performance, but your should be focusing on security rather than performance now.

For example, you’ll see the following pattern if your system is using Log4j.

[0.107s][info][class,load] org.apache.logging.log4j.core.lookup.JndiLookup source: file:/Users/yusuke/.m2/repository/org/apache/logging/log4j/log4j-core/2.15.0/log4j-core-2.15.0.jar
[0.056s][info][class,load] org.apache.logging.log4j.LogManager source: file:/Users/yusuke/.m2/repository/org/apache/logging/log4j/log4j-api/2.15.0/log4j-api-2.15.0.jar
[0.057s][info][class,load] org.apache.logging.log4j.Logger source: file:/Users/yusuke/.m2/repository/org/apache/logging/log4j/log4j-api/2.15.0/log4j-api-2.15.0.jar

Which class is referring Log4j?

Trace back your logfile from where LogManager or Logger is loaded. The class other than java.*, or jdk.* is the one referring Log4j.

In the next example, the last class before LogManager is loaded, one.cafebabe.Log4JTest is the one referring Log4j.