Log4j has been exposed to a nuclear bomb level vulnerability, and the developer has fried the pot!

Hello everyone , I'm fish skin , Come to the point , Well known open source projects Apache Log4j Had an accident ！

2021 year 12 month 9 Japan , The project was exposed to exist Serious security vulnerabilities , The attacker only needs to pass a special piece of code to the target machine , Can trigger the vulnerability , Free to execute arbitrary code remotely to control the target machine ！

honestly , Just hearing the news , I feel terrible . because Log4j As Java Well known logging framework , With its flexible and efficient log generation ability , It is not only used by many self-research projects , It is also used as a basic framework by many star projects , image Redis、Kafka、Elasticsearch、Apache Flink、Apache Druid wait . You can imagine the scope of this vulnerability , It is even called “ Nuclear grade ” Loophole ！

After the vulnerability was exposed , It was not the innocent programmers who took action the first time , But the bad boys . It is said that , On the first day the vulnerability was made public , There have been nearly 10000 attacks using this vulnerability ！

Vulnerability details

according to CVE The vulnerability exposes the records of the website , The vulnerability exists Apache log4j <= 2.14.1 Version of （ But in fact , The version range affected is larger than this ）. Attackers can get through log4j Of lookup The replace function injects code anywhere in its configuration file （ similar SQL Inject , hold ${ Variable } Replace with ${ The actual code }）, Plus... Used in these versions JNDI The feature is not for LDAP Provide adequate protection , So that any injected code can be executed unscrupulously .

JNDI：Java Naming and Directory Interface , Provides the ability to access resources by name

LDAP： Lightweight Directory Access Protocol , Defines how to access content in a directory service

A combination of the two , You can complete the operation on the server directory , For example, add, delete, change and check .

There are some uses. Minecraft Java The little partner of the version opening service was cheated , Because the project uses log4j To record user chat logs , Therefore, players only need to enter some command codes of this and that in the chat window , It is injected and executed , So it's easy to cheat .

Solution

I sorted out three solutions , You can choose... According to the actual situation .

1. Upgraded version

at present Apache The official has released a patch version for this vulnerability 2.15.0-rc2, It is disabled by default lookup Behavior , Ensure that upgrading this version does not conflict with other dependencies of the project , Suggest to upgrade .

Although the scheme is relatively simple and crude , But whether this version is stable ？ Is there no loophole ？ It's hard to say. .

2. Modify the parameters

If you don't want to upgrade log4j Version of , If you are worried about conflicts with other dependencies of the project , May adopt Apache A temporary solution officially recommended —— Modify the parameters .

If your log4j edition >= 2.10, You can set system properties log4j2.formatMsgNoLookups Or environment variables LOG4J_FORMAT_MSG_NO_LOOKUPS by true To disable lookup Behavior ; If the version is in 2.0-beta9 To 2.10.0 Between , Can be removed directly from classpath Remove JndiLookup class , Just use the following command ：

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

This scheme is relatively not easy to cause project conflict , If the project is urgent and important , Let's deal with it first .

3. Change frame

Most violent 、 It is also the most thorough solution, that is, not at all log4j 了 , Use something else ！

For example, I abandoned it a long time ago log4j, change to the use of sth. logback 了 , If nothing else ,logback The test is more adequate , The quality is relatively guaranteed . After all, the logging framework is a necessary core dependency of a project , Stability is essential .

Of course , This approach may have a great impact on the project , If you must replace the frame as a whole , Adequate testing is recommended （ The higher the coverage, the better ）, It's not as simple as changing a few lines of code .

Finally, say a few more words , This event confirms the importance of software development Distrust principle , There is no absolute credibility 、 A completely trouble free service , So what we developers need to do is to keep an eye on it all the time , Try to design some protection or degradation measures for the instability of some services . For example, suppose that the distributed cache will hang up , The local cache can be redesigned to continue to provide temporary services , Guarantee the availability of the system .

But fortunately, this loophole has no impact on me , First, the project itself is useless log4j It is logback; Second, the business done in the company is the internal system , Most infrastructure and middleware are intranet , There is network level isolation protection ; Third, the services used in my own projects are also provided by cloud service providers , Even if something goes wrong , Basically, you don't have to solve it yourself （ However, there are still some security risks ）.

alas , I don't know how many friends have to work overtime on weekends , Did you lie down with the gun ？

I'm fish skin , Originality is not easy. , If you think the article is good , hope give the thumbs-up Under the support , Thank you. ~