Pete FreitagHow to get Log4j Version at Runtime in Java
By Pete Freitag
Here's how you can get the version of Log4j you are using at runtime using Java:
Java Code to Get the Log4j Version at Runtime
org.apache.logging.log4j.util.PropertiesUtil.class.getPackage().getImplementationVersion()
The above only works on version log4j2 (log4j version 2), and is based on jar file manifest information. There doesn't appear to be a getVersion() method or function in the log4j package.
ColdFusion / CFML Code to get Log4j Version at Runtime
If you are using ColdFusion / Lucee or CFML, you can run this snippet:
createObject("java", "org.apache.logging.log4j.util.PropertiesUtil").getClass().getPackage().getImplementationVersion()
Checking log4j2.formatMsgNoLookups at runtime
I picked the PropertiesUtil class in my above example because it appears that it can be used to check for the Java system property log4j2.formatMsgNoLookups or potentially the LOG4J_FORMAT_MSG_NO_LOOKUPS at runtime.
org.apache.logging.log4j.util.PropertiesUtil.getProperties().getBooleanProperty("log4j2.formatMsgNoLookups")
I haven't fully tested the above in all scenarios, but it looks handy so I thought I'd share it.
Checking a System Property at Runtime with Java
Here's a generic way to check a system property value at runtime in java:
java.lang.System.getProperty("log4j2.formatMsgNoLookups")
The value will be null if it is not defined.
Checking a Environment Variable value at Runtime in Java
To check for the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable at runtime you can use:
java.lang.System.getenv("LOG4J_FORMAT_MSG_NO_LOOKUPS")
Checking the System Property / Environment Variable in CFML
Using CFML you can run this chunk of code to test:
//(c) Pete Freitag / Foundeo Inc : https://www.petefreitag.com/item/924.cfm
system = createObject("java", "java.lang.System");
prop = system.getProperty("log4j2.formatMsgNoLookups");
evn = system.getenv("LOG4J_FORMAT_MSG_NO_LOOKUPS");
if (isNull(prop) && isNull(env)) {
writeOutput("System Property / Env Var Not Defined");
} else {
if (!isNull(prop)) {
writeOutput("log4j2.formatMsgNoLookups=#encodeForHTML(prop)#");
} else {
writeOutput("LOG4J_FORMAT_MSG_NO_LOOKUPS=#encodeForHTML(env)#");
}
}
Warning
In java you can have multiple class loaders, and potentially multiple versions of log4j running in your application at once. This code example only shows what version of Log4j the class loader that runs it has.
I strongly recommend that you scan your jar files as well. More info on CVE-2021-44228 here.
How to get Log4j Version at Runtime in Java was first published on December 15, 2021.
If you like reading about log4j, java, or security then you might also like:
- Log4j 1.x Vulnerability Mitigation Guide
- Log4Shell Vulnerability Timeline
- Log4j CVE-2021-44228 Log4Shell Vulnerability on ColdFusion / Lucee
- Spring4Shell and ColdFusion
Weekly Security Advisories Email
Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).
Comments
Java Code to Get the Log4j Version at Runtime is not working for Log4j 2.12.4
something like this:
LOGGER.info("Log4j Ver: "+ org.apache.logging.log4j.util.PropertiesUtil.class.getPackage().getImplementationVersion());
I ran above code for CF and it displays "System Property / Env Var Not Defined". does that mean that LOG4J_FORMAT_MSG_NO_LOOKUPS is not used at all? If so, do I still need to add Dlog4j2.formatMsgNoLookups=true in jvm.config