当前位置:网站首页>Log4j2 major vulnerabilities and Solutions
Log4j2 major vulnerabilities and Solutions
2022-07-06 16:59:00 【Xiaoxiamo】
Causes of events
2021 year 12 month 10 Day is an ordinary day , Circle of friends , Various forums 、 Official account and group , Are discussing one Log4j2 A loophole in the , How many programmers get up in the middle of the night to change the code . this bug It even threatens the global network security , Companies that have proven that their servers are vulnerable to vulnerabilities include, but are not limited to, apple 、 Amazon 、 tesla 、 Google 、 Baidu 、 tencent 、 NetEase 、 JD.COM 、Twitter、 Steam etc. . Why does this vulnerability react so strongly ? There are several reasons :
One 、 It covers a wide range ( Any use of Log4j2 Project , Are in danger
Two 、 It's easy to operate ( Just a simple operation can seriously damage the server
3、 ... and 、 High degree of harm ( It is equivalent to having the permission of the application
Four 、 Long time ( It is expected that this will happen in the next few years bug, As long as the service is not updated , Loopholes are always
according to the understanding of , This vulnerability was first discovered by Alibaba employees .11 month 24 Japan , Alibaba cloud security team to Apache Reported Apache Log4j2 Remote code execution vulnerability .12 month 9 Japan , More details are made public .
Log4j2 Introduce
That caused such a large-scale security problem Log4j2 What is it , What's the use ?Log4j2 yes Apache A project for , One is based on Java The logging tool for . Log4j2 It's easy to control log Whether the information is displayed 、log The output type of the message 、 Output mode 、 Output format , More detailed control of the log generation process , It can be configured flexibly through the configuration file without a lot of code changes . therefore , Many Internet companies choose to use Log4j2 . The project is in progress. 2014 Reconstructed in , And introduced a lot of rich features , It is also the rewritten version , That's what we have bug. The new version of logging framework is widely used in business system development , Used to record log information . So the main victims this time are the use of Log4j2 Of Java application (Log4j 1.x Instead of being affected ), The common open source projects affected by this are :Spring-Boot-strater-log4j2、Apache Solr、Apache Flink、Apache Druid、Elasticsearch、Flume、Dubbo、Redis、Logstash、Kafka etc. .
Hazard principle
that Log4j2 bug What is the way of destruction , It's very simple , It's like SQL Inject , This is more powerful , Is directly Code injection , Code execution permission is naturally equivalent to application permission . This belongs to a tool person who prints logs , Don't work hard , Also introduced the devil to the village .
What is the main principle ? When printing the log , If you find that the log content contains keywords ${ }, So in { } The contents contained will be replaced as variables , This allows an attacker to execute arbitrary commands . Detailed vulnerability disclosure can be viewed :https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-3201?filter=allissues
In fact, it is mainly because of Log4J2 A plug-in in :Lookup, There's a big problem . This is an uncommon plug-in , But the code triggers very often , Up to every trigger in your code info,warn,error When the log is written , Will check whether to execute Lookup The logic of . Among them, the more serious problems are JndiLookup and RMILookup function ,JNDI You can find and find data and resources ,RMI It's a remote call . If you use your host , Remotely call the destructive code I started ( Application service ) Well , At this time, your service host is the meat on the chopping board , Lose your life .
Solution
Mode one : Discard directly Log4j2
What we should pay attention to here is , You have no dependencies in the project , It doesn't mean that there is no , Need global search
Mode two : Rise to 2.15.0 Or later
Up to 2021.12.14 Japan , It has reached 2.16-rc1 Version of the , Just a few more crazy versions these days , It is suggested to update at least to 2.15.0 Above version
Address :https://github.com/apache/logging-log4j2/tags
Mode three : change JVM Operation parameters
Some projects , May rely on more complex , And it is not convenient to recompile , It can be run directly , Add the following JVM Parameters , This can prohibit Lookup take effect
-Dlog4j2.formatMsgNoLookups=true
边栏推荐
- Shell_ 02_ Text three swordsman
- LeetCode 1566. Repeat the pattern with length m at least k times
- Full record of ByteDance technology newcomer training: a guide to the new growth of school recruitment
- Many papers on ByteDance have been selected into CVPR 2021, and the selected dry goods are here
- Fdog series (VI): use QT to communicate between the client and the client through the server (less information, recommended Collection)
- 字节跳动春招攻略:学长学姐笔经面经,还有出题人「锦囊」
- LeetCode 1640. Can I connect to form an array
- The "advertising maniacs" in this group of programmers turned Tiktok advertisements into ar games
- Erlang installation
- Fdog series (V): use QT to imitate QQ to realize login interface to main interface, function chapter.
猜你喜欢
汇编课后作业
搭建flutter环境入坑集合
字节跳动技术面试官现身说法:我最想pick什么样的候选人
一个数10年工作经验的微服务架构老师的简历
Alibaba cloud server builds SVN version Library
算数运算指令
Eight part essay that everyone likes
Shell_ 02_ Text three swordsman
Saw local status change event StatusChangeEvent [timestamp=1644048792587, current=DOWN, previous=UP]
Record the error reason: terminate called after throwing an instance
随机推荐
Fdog series (I): think about it. It's better to write a chat software. Then start with the imitation QQ registration page.
字节跳动多篇论文入选 CVPR 2021,精选干货都在这里了
LeetCode 1636. Sort the array in ascending order by frequency
LeetCode1556. Thousand separated number
Cartesian tree (modified)
8086 内存
LeetCode 1561. The maximum number of coins you can get
搭建flutter环境入坑集合
DS18B20數字溫度計系統設計
7-12 inventory code base
Codeforces Round #771 (Div. 2)
ByteDance technical Interviewer: what kind of candidate do I want to pick most
汇编语言基础知识
Fdog series (V): use QT to imitate QQ to realize login interface to main interface, function chapter.
字节跳动技术面试官现身说法:我最想pick什么样的候选人
LeetCode 1562. Find the latest group of size M
~69 other ways to use icon fonts
Notes on how the network is connected
Install docker under windows10 (through Oracle VM VirtualBox)
J'ai traversé le chemin le plus fou, le circuit cérébral d'un programmeur de saut d'octets