# cve-2021-44228-log4j-mitigation
These are some simple scripts to mitigate against log4j vulnerability on Tomcat servers or Java enterprise or web applications

Several sites suggest a few steps to mitigate against the log4j vulnerability discovered on Dec 9, 2021. 
The vulnerablity is due to a "feature" in the common loggin facility log4j, allowing LDAP lookups to 
resolve certain variables in incoming HTTP headers. 

Among these suggested solutions are: 

1. Upgrade to log4j v2.16.0
1. Disable LDAP lookups via configuration change
1. Disable LDAP lookups in log4j, by removing class files

The upgrade to v2.16.0 may come with significant risk to some applications which are using legacy libraries and would require a fill regression test. While this is the correct approach to take, it may be impractical for a fast solution. 
**Note: even this uograde has recently been noted as incomplete solution.**

Disabling LDAP lookups in logging is a practical, fast solution in the interim. This will mean that if your application is logging the result of LDAP lookups (such as full user names or departmental information) at the moment, it will no longer be able to do this. However, we believe that very few application make use of this feature and will in most cases continue to function until the upgrade fix is in place. In particular, if there is no LDAP server configuration present in the web application, this feature should have never been turned on. 

A quick smoke test would be to: 
1. test re-logins
2. temporarily change LDAP configuration, if present at all - see above.

[The included script does the following]( 

1. backup all log4j-core libraries on the system to a tar file
2. for each library file, remove the culprit `JndiLookup` class
3. disable JNDI Lookups in tomcat properties
4. restart tomcat service

**NOTE: this supplied script comes with absolutely NO WARRANTY. Your system may be quite different, or missing prerequisites for this script to work. It is a guidance for specific solution on your environment. **