Serious hazard warning! Log4j execution vulnerability is exposed!

12 month 10 Early morning ,Apache Open source project Log4j2 Details of the remote code execution vulnerability are disclosed , The vulnerability threat level is ： serious .

Log4j2 It's based on Java The logging tool for . It rewrites Log4j frame , Introduced a number of rich features , Allows users to control the destination of log information delivery to the console 、 file 、GUI Components etc. . At the same time, by defining the level of each log information , It enables users to control the log generation process more carefully .

Log4j It is the most widely used in the world java One of the logging frameworks . The vulnerability also affects many of the world's most widely used open source components , Such as Apache Struts2、Apache Solr、Apache Druid、Apache Flink etc. . Because the vulnerability is exploited in a simple way , Once an attacker exploits the vulnerability , You can execute arbitrary code on the target server , Cause great harm to the attacker .

Vulnerability details

This vulnerability is mainly Log4j2 The contents of lookup Function exists JNDI Inject holes , This function can help developers read the configuration in the corresponding environment through some protocols . The vulnerability trigger method is very simple , As long as the content of the log contains keywords ${, Then the contents contained in this can be replaced as variables , The attacker does not need any privileges , Can execute any command .

The version affected by this vulnerability is ：Apache Log4j 2.x <= 2.14.1

At the same time, if you use the following applications , Will also be affected by this vulnerability ：

• Spring-Boot-strater-log4j2

• Apache Struts2

• Apache Solr

• Apache Flink

• Apache Druid

• ElasticSearch

• flume

• dubbo

• logstash

• kafka

Bug repair

At present, the manufacturer has released a new version log4j-2.15.0-rc2, This version has fixed the vulnerability . I hope you can upgrade to the new version as soon as possible .

The official link ：https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2

If it is not convenient for you to upgrade the version for the time being , You can also carry out emergency treatment through the following methods , And complete the version upgrade as soon as it is convenient ：

• modify jvm Parameters -Dlog4j2.formatMsgNoLookups=true

• Modify the configuration log4j2.formatMsgNoLookups=True

• Set the system environment variable FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS Set to true

Whether it was the year before last Apach Shiro Of cookie Persistence parameters rememberMe There are loopholes in the encryption algorithm , Or last year 5 Of the month Fastjson Remote Code Execution Vulnerability notification . It seems that there are always various problems in network security , But finding and fixing the vulnerability itself is an upgrade to security . The safe way to stop will soon be broken , Only continuous updating and upgrading is the real network security .

Recommended reading

CSS The margin of the box collapsed

Popular scripts kill and SaaS The indissoluble bond of