Static java agent that disables text substitution by default.
It is still possible to create a logger instance with text parsing enabled.
This agent disables tag matching for the default StrSubstitutor.
The best way to be sure it is secure is to simply test it yourself using nc(1).
Log text ${jndi:ldap://server_ip_with_nc_active:nc_port/a} and check if nc(1) received a connection from your application.
If yes then it means your program is still vulnerable.
Add the -javaagent parameter at the beginning to use this agent. Example:
java -javaagent:Log4jCveFix.jar -jar application.jar
- disable lookup support in Log4j
- halt when something tried to initialize
com/sun/jndi/ldap/Connection