1
头图

In the early morning of December 10, the details of the remote code execution vulnerability of the Apache open source project Log4j2 were disclosed, and the vulnerability threat level was serious.

Log4j2 is a Java-based logging tool. It rewrites the Log4j framework and introduces a large number of rich features, allowing users to control the destination of log information delivery to consoles, files, GUI components, etc. At the same time, by defining the level of each log information, users can control the log generation process in more detail.

Log4j is currently one of the most widely used java logging frameworks in the world. The vulnerability also affects many of the world’s top open source components, such as Apache Struts2, Apache Solr, Apache Druid, Apache Flink, etc. Because the vulnerability is easy to exploit, once an attacker exploits the vulnerability, he can execute arbitrary code on the target server, causing great harm to the victim.

图片源自互联网

Vulnerability details

This vulnerability is mainly due to the JNDI injection vulnerability in the lookup function contained in Log4j2, which can help developers to read the configuration in the corresponding environment through some protocols. The vulnerability triggering method is very simple. As long as the keyword ${ is included in the log content, the content contained in it can be replaced as a variable. The attacker does not need any permissions and can execute arbitrary commands.

漏洞复现

The version affected by this vulnerability is: Apache Log4j 2.x <= 2.14.1

At the same time, if you use the following applications, you will also be affected by this vulnerability:

  • Spring-Boot-strater-log4j2
  • Apache Struts2
  • Apache Solr
  • Apache Flink
  • Apache Druid
  • ElasticSearch
  • flume
  • dubbo
  • logstash
  • kafka

Bug fix

At present, the manufacturer has released a new version log4j-2.15.0-rc2, which has fixed vulnerabilities. I hope you can upgrade to the new version as soon as possible.

Official link: https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2

If you are temporarily inconvenient to upgrade the version, you can also use the following methods for emergency treatment, and complete the version upgrade as soon as it is convenient:

  • Modify the jvm parameter -Dlog4j2.formatMsgNoLookups=true
  • Modify the configuration log4j2.formatMsgNoLookups=True
  • Set the system environment variable FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS to true

Whether it was a vulnerability in the rememberMe encryption algorithm of Apach Shiro's cookie persistence parameter the previous year, or the Fastjson remote code execution vulnerability notification in May last year. Network security always seems to have various problems, but discovering and fixing vulnerabilities is itself an upgrade of security. The security method that is not moving will soon be breached, and only continuous updates and upgrades are the real network security.

Recommended reading

The margins of the CSS box collapsed

Popular script kills the indissoluble bond with SaaS


云叔_又拍云
5.9k 声望4.6k 粉丝

又拍云是专注CDN、云存储、小程序开发方案、 短视频开发方案、DDoS高防等产品的国内知名企业级云服务商。