I thought that after last week’s 2.16.0 version upgrade, the vulnerability repair work of Log4j2 would basically come to an end.
Unexpectedly, at the weekend, Log4j officially released a new version: 2.17.0
This version mainly fixes security vulnerabilities: CVE-2021-45105
affects version : 2.0-alpha1 to 2.16.0 (continue to ignore for 1.x users)
This vulnerability can only trigger an infinite loop by constructing malicious input data containing recursive lookups when the log configuration uses a non-default Pattern Layout with Context Lookups (for example, $${ctx:loginId Eventually the process crashed.
Only log4j-core is affected by this vulnerability, and programs that only use log4j-api do not need to worry. So, you can fix the vulnerability by upgrading log4j-core
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.0</version>
</dependency>Of course, if you are affected by Spring Boot, follow the previous configuration to get the log4j2 nuclear bomb vulnerability of the Spring Boot project! shared method of 161c55ae53f466 can be upgraded more conveniently. If you are learning Spring Boot, it is recommended that a serial for many years continues to update free tutorials .
If it is not convenient to upgrade the version at present, you can also use the following two methods to mitigate this vulnerability:
- In the PatternLayout of the log configuration, replace Context Lookups such as ${ctx:loginId} or $${ctx:loginId} with %X, %mdc, or %MDC
- Where external data (HTTP Header or user input, etc.) is used, delete references to Context Lookups (such as ${ctx:loginId} or $${ctx:loginId})
Okay, let’s not say much. Everyone should check themselves, take necessary protective measures, and try to get a good night’s sleep!
Welcome to pay attention to my official account: Program Ape DD, to share knowledge and thoughts that can’t be seen elsewhere
java
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。