Pete Freitag Pete Freitag

How to get Log4j Version at Runtime in Java

Updated: December 15, 2021
java

Here's how you can get the version of Log4j you are using at runtime using Java:

Java Code to Get the Log4j Version at Runtime

org.apache.logging.log4j.util.PropertiesUtil.class.getPackage().getImplementationVersion()

The above only works on version log4j2 (log4j version 2), and is based on jar file manifest information. There doesn't appear to be a getVersion() method or function in the log4j package.

ColdFusion / CFML Code to get Log4j Version at Runtime

If you are using ColdFusion / Lucee or CFML, you can run this snippet:

createObject("java", "org.apache.logging.log4j.util.PropertiesUtil").getClass().getPackage().getImplementationVersion()

Checking log4j2.formatMsgNoLookups at runtime

I picked the PropertiesUtil class in my above example because it appears that it can be used to check for the Java system property log4j2.formatMsgNoLookups or potentially the LOG4J_FORMAT_MSG_NO_LOOKUPS at runtime.

org.apache.logging.log4j.util.PropertiesUtil.getProperties().getBooleanProperty("log4j2.formatMsgNoLookups")

I haven't fully tested the above in all scenarios, but it looks handy so I thought I'd share it.

Checking a System Property at Runtime with Java

Here's a generic way to check a system property value at runtime in java:

java.lang.System.getProperty("log4j2.formatMsgNoLookups")

The value will be null if it is not defined.

Checking a Environment Variable value at Runtime in Java

To check for the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable at runtime you can use:

java.lang.System.getenv("LOG4J_FORMAT_MSG_NO_LOOKUPS")

Checking the System Property / Environment Variable in CFML

Using CFML you can run this chunk of code to test:

//(c) Pete Freitag / Foundeo Inc : https://www.petefreitag.com/item/924.cfm
system = createObject("java", "java.lang.System");
prop = system.getProperty("log4j2.formatMsgNoLookups");
evn = system.getenv("LOG4J_FORMAT_MSG_NO_LOOKUPS");
if (isNull(prop) && isNull(env)) {
    writeOutput("System Property / Env Var Not Defined");
} else {
   if (!isNull(prop)) {
      writeOutput("log4j2.formatMsgNoLookups=#encodeForHTML(prop)#"); 
   } else {
      writeOutput("LOG4J_FORMAT_MSG_NO_LOOKUPS=#encodeForHTML(env)#"); 
   }
}

Warning

In java you can have multiple class loaders, and potentially multiple versions of log4j running in your application at once. This code example only shows what version of Log4j the class loader that runs it has.

I strongly recommend that you scan your jar files as well. More info on CVE-2021-44228 here.


Like this? Follow me ↯

How to get Log4j Version at Runtime in Java was first published on December 15, 2021.

If you like reading about log4j, java, or security then you might also like:

Want Security Advisories via Email?

Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).

Comments

Thank you Pete, as always.
I ran above code for CF and it displays "System Property / Env Var Not Defined". does that mean that LOG4J_FORMAT_MSG_NO_LOOKUPS is not used at all? If so, do I still need to add Dlog4j2.formatMsgNoLookups=true in jvm.config
by Simranjit Singh on 12/23/2021 at 9:37:26 AM UTC
@Simranjit - That means the LOG4J_FORMAT_MSG_NO_LOOKUPS environment var / log4j2.formatMsgNoLookups system property is not set. You don't necessarily need to add it, it would only provide protection if you had a vulnerable jar somewhere that you didn't realize. The best solution is to make sure you have updated to log4j 2.17.0, because that fixes some issues that this environment variable / system property do not protect against.
by Pete Freitag on 12/23/2021 at 5:42:30 PM UTC
Where to write this line and in which file? "org.apache.logging.log4j.util.PropertiesUtil.class.getPackage().getImplementationVersion()"
by XYZTST on 12/24/2021 at 10:05:04 AM UTC
Is there any particular reason you chose the PropertiesUtil class to get the version information, as opposed to some other class? My first inclination would have been Logger since it's imported into the source file anyway.
by Jason on 01/12/2022 at 4:04:08 PM UTC
FYI

Java Code to Get the Log4j Version at Runtime is not working for Log4j 2.12.4

something like this:

LOGGER.info("Log4j Ver: "+ org.apache.logging.log4j.util.PropertiesUtil.class.getPackage().getImplementationVersion());
by java99 on 01/21/2022 at 8:50:06 AM UTC

Post a Comment