IBM Java get defaults (to mitigate CVE-2021-44228 AKA Log4Shell vulnerability)

java websphere

How can I dump on Java (IBM Java) the default values to check the default of the following?

"com.sun.jndi.rmi.object.trustURLCodebase"
"com.sun.jndi.cosnaming.object.trustURLCodebase"

Something like this, but for the above parameters:

java -XX:+PrintFlagsFinal -version

This is for a CVE-2021-44228 mitigation review.

Ideally this can be checked on cmd and not need to run test code.

Here is my attempt of test code which doesn't show (display Null):

import java.util.Properties;

class TiloDisplay
{
    public static void main(String[] args)
    {
        Properties prop = System.getProperties();
        printProperties(prop);
    }

    public static void printProperties(Properties prop) {
        prop.stringPropertyNames().stream()
                .map(key -> key + ": " + prop.getProperty(key))
                .forEach(System.out::println);
        System.out.println("CVE check part ========================================== " );
        System.out.println("CVE check for:: com.sun.jndi.ldap.object.trustURLCodebase: " + prop.getProperty("com.sun.jndi.ldap.object.trustURLCodebase"));
        System.out.println("CVE check for:: com.sun.jndi.rmi.object.trustURLCodebase: " + prop.getProperty("com.sun.jndi.rmi.object.trustURLCodebase"));
        System.out.println("CVE check for:: com.sun.jndi.cosnaming.object.trustURLCodebase: " + prop.getProperty("com.sun.jndi.cosnaming.object.trustURLCodebase"));
        System.out.println("Cross Check: " + prop.getProperty("java.version"));
    }
}

Compile and run:

javac DisplayApp.java -source 1.8 -target 1.8
java TiloDisplay

CVE-2021-44228 creates a large attack surface depending on the imagination of the attacker and an RCE is just one of them.

I would strongly advise you to avoid having a false conclusion by relying on a JVM feature targeting a certain attack vector; there are more vectors. Simply either bump log4j-core to 2.15.0 or set the log4j2.formatMsgNoLookups=true system property.


Answering the letter of the question:

It does not appear that the system properties in question have any value by default. If they did, you could check with:

java -XshowSettings:properties -version

Note that -X flags are non-standard, though IBM Java supports this one (checked Semeru 11).

As for the context:

The implementations (in OpenJDK at least) query for the property values, defaulting to false if the properties are unset, e.g.,

// System property to control whether classes may be loaded from an
// arbitrary URL code base
String trust = getPrivilegedProperty(
        "com.sun.jndi.ldap.object.trustURLCodebase", "false");
trustURLCodebase = "true".equalsIgnoreCase(trust);

So neither -XshowSettings nor the programmatic check in the question are helpful to know for certain what behavior your JVM defaults to for these features, or if the JVM version you're running uses these properties at all if you set them explicitly.

I agree with Volkan's point, but I also would like to verify that these (dangerous) JNDI features are disabled regardless of the Log4j exploit. Unfortunately though we need another way to do that, ideally an implementation-independent one.


The upgrade to Log4j 2.15.x is not enough. There is another exploit (see Second Log4j vulnerability discovered, patch already released) and a new version Log4j 2.16 has been published already, disabling the default JNDI settings (Download Apache Log4j 2) and upgrade to 2.16 version is more important now.

But there are many Log4j clones, custom code using the same Log4j classes and that is why it's important to check the JVM settings, especially for previous JDK versions as prior to 6u211, 7u201 and 8u191 and disable JNDI + RMI settings. More about it was presented at Black Hat in 2016. See A journey from JNDI/LDAP manipulation to remote code execution dream land.


The command

jps -lvm

will output your running Java processes with their parameters.

See also this answer to Getting the parameters of a running JVM.


I would assume that turning these feature off will prevent remote code execution (RCE) using JNDI, not just the one using Log4j 2:

log4j2.formatMsgNoLookups -> set to true
"com.sun.jndi.rmi.object.trustURLCodebase" -> set to false
"com.sun.jndi.cosnaming.object.trustURLCodebase" -> set to false

Upgrade Log4J2 to 2.17.1 and upgrade Java to higher than Java 8u121.

Related

How to call an rest api while bootstrapping angular 2 app
Spring-amqp two queues with different TTL
Permission denied when accessing VirtualBox shared folder when member of the vboxsf group
Replace Carriage Return and Line Feed in Notepad++
how can I uninstall using homebrew?
Where is the temporary directory in Linux?
downloading file using scp command
Can you extend the expiration date of an already expired GPG key?
ZSH - output whole history?
How to remove read-only attribute recursively on Windows
What are "build-essential" & "build-dep"?
Opened a JPG picture with notepad, pasted all the "text" to a new notepad file, changed to .JPG and it no longer opens. Why?