Here's how you can get the version of Log4j you are using at runtime using Java:
Java Code to Get the Log4j Version at Runtime
org.apache.logging.log4j.util.PropertiesUtil.class.getPackage().getImplementationVersion()
The above only works on version log4j2 (log4j version 2), and is based on jar file manifest information. There doesn't appear to be a getVersion() method or function in the log4j package.
ColdFusion / CFML Code to get Log4j Version at Runtime
If you are using ColdFusion / Lucee or CFML, you can run this snippet:
createObject("java", "org.apache.logging.log4j.util.PropertiesUtil").getClass().getPackage().getImplementationVersion()
Checking log4j2.formatMsgNoLookups at runtime
I picked the PropertiesUtil class in my above example because it appears that it can be used to check for the Java system property log4j2.formatMsgNoLookups or potentially the LOG4J_FORMAT_MSG_NO_LOOKUPS at runtime.
org.apache.logging.log4j.util.PropertiesUtil.getProperties().getBooleanProperty("log4j2.formatMsgNoLookups")
I haven't fully tested the above in all scenarios, but it looks handy so I thought I'd share it.
Checking a System Property at Runtime with Java
Here's a generic way to check a system property value at runtime in java:
java.lang.System.getProperty("log4j2.formatMsgNoLookups")
The value will be null if it is not defined.
Checking a Environment Variable value at Runtime in Java
To check for the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable at runtime you can use:
java.lang.System.getenv("LOG4J_FORMAT_MSG_NO_LOOKUPS")
Checking the System Property / Environment Variable in CFML
Using CFML you can run this chunk of code to test:
//(c) Pete Freitag / Foundeo Inc : https://www.petefreitag.com/item/924.cfm
system = createObject("java", "java.lang.System");
prop = system.getProperty("log4j2.formatMsgNoLookups");
evn = system.getenv("LOG4J_FORMAT_MSG_NO_LOOKUPS");
if (isNull(prop) && isNull(env)) {
writeOutput("System Property / Env Var Not Defined");
} else {
if (!isNull(prop)) {
writeOutput("log4j2.formatMsgNoLookups=#encodeForHTML(prop)#");
} else {
writeOutput("LOG4J_FORMAT_MSG_NO_LOOKUPS=#encodeForHTML(env)#");
}
}
Warning
In java you can have multiple class loaders, and potentially multiple versions of log4j running in your application at once. This code example only shows what version of Log4j the class loader that runs it has.
I strongly recommend that you scan your jar files as well. More info on CVE-2021-44228 here.
Comments
Thank you Pete, as always. I ran above code for CF and it displays "System Property / Env Var Not Defined". does that mean that LOG4J_FORMAT_MSG_NO_LOOKUPS is not used at all? If so, do I still need to add Dlog4j2.formatMsgNoLookups=true in jvm.config
@Simranjit - That means the LOG4J_FORMAT_MSG_NO_LOOKUPS environment var / log4j2.formatMsgNoLookups system property is not set. You don't necessarily need to add it, it would only provide protection if you had a vulnerable jar somewhere that you didn't realize. The best solution is to make sure you have updated to log4j 2.17.0, because that fixes some issues that this environment variable / system property do not protect against.
Where to write this line and in which file? "org.apache.logging.log4j.util.PropertiesUtil.class.getPackage().getImplementationVersion()"
Is there any particular reason you chose the PropertiesUtil class to get the version information, as opposed to some other class? My first inclination would have been Logger since it's imported into the source file anyway.
FYI Java Code to Get the Log4j Version at Runtime is not working for Log4j 2.12.4 something like this: LOGGER.info("Log4j Ver: "+ org.apache.logging.log4j.util.PropertiesUtil.class.getPackage().getImplementationVersion());