Log4j2 stopped, Logback started to collapse?

This morning, before I got up, I picked up my phone and saw a headline. The headline really made me feel a little emotional!

Get up immediately, go straight to official website to see what the problem is? How bad is it?

Since it is a problem below version 1.2.9, just find out what was fixed in version 1.2.9. It was released on December 16, and it has been a few days. According to preliminary judgment, the problem should not be big, right?

Take a closer look at the number of the vulnerability that this version mainly fixes: CVE-2021-42550

Continue to check the information about this vulnerability as follows:

This vulnerability affects versions below 1.2.9. Attackers can edit the logback configuration file to create a malicious configuration that allows the execution of arbitrary code loaded from the LDAP server!

It seems serious from the description? In fact, it is not as serious as expected. From the above figure, it can actually be found that the severity of the vulnerability is only MEDIUM .

In order to avoid panic (after all, it was not easy to be tossed by log4j2 in the past two weeks), the official news also highlighted: This vulnerability is a completely different severity level from , because this vulnerability of logback has a premise: the attacker has to write The permission of the logback configuration file will work!

Of course, if you are concerned about the roughness of system-level security and are still not at ease about the security of the application, you can also choose to upgrade the version of logback to reinforce the defense against this potential problem.

Because there are many Spring Boot users on the DD side, I took a look at the relationship between the Spring Boot version and the Logback version. Except for just released 2.6.2 and 2.5.8 used 1.2.9, the previous versions are all Within the affected area. If you are learning Spring Boot, then I recommend a free tutorial that has serialized for many years and continues to be updated: 161cbcf3d840b2 https://blog.didispace.com/spring-boot-learning-2x/

Therefore, users of 2.6.x and 2.5.x can upgrade the minor version directly. If it is the previous version, then the old way is to add the configuration logback.version in the properties, such as the following:

In addition, in addition to the upgraded version, the official recommends that users set the logback configuration file to read-only permission .

Finally, don't be too panic, take your time, this is not as serious as log4j2!

Okay, that's all for today's sharing! If you encounter difficulties in the learning process? You can join our super high-quality Spring technology exchange group , participate in exchanges and discussions, and learn and progress better!

Welcome to pay attention to my official account: Program Ape DD. Learn about cutting-edge industry news for the first time, share in-depth technical dry goods, and obtain high-quality learning resources