DISCLAIMER #1: THIS GIST IS INFORMATIONAL ONLY AND NOT A COMPLETE SECURITY GUIDANCE. Use this data with care, and please recheck the commits if you want to cite them as the source.
DISCLAIMER #2: JDK MITIGATIONS ARE NOT THE WHOLE STORY. THE REAL FIX IS IN LOG4J, UPGRADE TO AT LEAST 2.15.0
OR SET log4j2.formatMsgNoLookups=true
.
There might be more vectors than these mitigations cover. JDK mitigations shrink the attack surface, but they are not guaranteed to solve everything. I only checked this mitigates a few simple proof-of-concepts.
TL;DR: Use JDK update releases that are less than 3 years old, and all known mitigations are there. Only old versions from 8u and 11u release trains seem to have no mitigations. If you have 8u or 11u JDKs that old, update both Log4J (first) and JDK (second).
Pushed: Oct 6, 2016
Two commits: - https://github.com/openjdk/jdk/commit/7a1887e91ce50162dc6c89449f290ee34b28b9b0 - https://github.com/openjdk/jdk/commit/7007b4d6f21912f4ef6e8c958ddf86ea71c3e494
These commits introduce:
- com.sun.jndi.cosnaming.object.trustURLCodebase
= false
- com.sun.jndi.rmi.object.trustURLCodebase
= false
Releases:
-
JDK 17: Inherits them from mainline (note changeset hashes are the same), so all JDK 17 are handled:
-
JDK 15: Inherits them from mainline (note changeset hashes are the same), so all JDK 15 are handled:
-
JDK 13: Inherits them from mainline (note changeset hashes are the same), so all JDK 13 are handled:
-
JDK 11: Inherits it from mainline (note changeset hashes are the same), so all JDK 11 are handled:
-
JDK 8:
- First tag is jdk8u121-b06, so first fixed build is 8u121
- First tag is jdk8u161-b01, so first fixed build is 8u161
8u121 is the part of coordinated security release on January 17, 2017. 8u161 is the part of coordinated security release on January 16, 2018.
Pushed: Jun 8, 2018
One commit: - https://github.com/openjdk/jdk/commit/309ace52859d889f8c0f27adeb161c646d9b4a51
Introduces:
- com.sun.jndi.ldap.object.trustURLCodebase
= false
Releases:
-
JDK 17: Inherits it from mainline (note changeset hash is the same), so all JDK 17 are handled:
-
JDK 15: Inherits it from mainline (note changeset hash is the same), so all JDK 13 are handled:
-
JDK 13: Inherits it from mainline (note changeset hash is the same), so all JDK 13 are handled:
-
JDK 11: First tag is
jdk-11.0.1+1
, so first fixed build is11.0.1
: -
JDK 8: First tag is
jdk8u191-b02
, so first fixed build is8u191
:
Both JDK 11.0.1
and 8u191
are the part of the coordinated security release on October 16, 2018.