log4j2-2021-12-09
当下已来到了2.17.0版本。另外logback-1.2.9之前的版本也有LDAP漏洞
后续再看
- 针对与Spring Boot项目,一般都是用的日志门面slf4j, 然后springboot-starter-web会依赖logging, 而logging会依赖log4j-to-slf4j, 而它又依赖 log4j-api 但是log4j-api中并没有 Lookup相关的代码,也许不少是不必升级的。详见https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
- 根据源码,问题应该指的是 log4j-core 这个包中 的 org.apache.logging.log4j.core.lookup.JndiLookup, 细粒度的可以从这个角度排查
漏洞修复方案:
- Apache官方已发布补丁,建议受影响的用户尽 快升级到安全版本。补丁下载地址:
- 因为idk 1.8.121以上默认禁止trustURLCodebase去加载远程类,利用ldap及rmi的rce都会失效。所以可以升级下jdk。
漏洞缓解措施:(视版本,有的不适用,具体看扩展部分)
(1)修改 jvm 参数 -Dlog4j2.formatMsgNoLookups=true
(2)修改配置 log4j2.formatMsgNoLookups=True
(3)将系统环境变量 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 设置为 true
扩展
JNDI(Java Naming and Directory Interface,Java命名和目录接口)
Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Versions Affected: all log4j-core
versions >=2.0-beta9 and <=2.14.1
Descripton: Apache Log4j <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.
Mitigation:
- In releases >=2.10, this behavior can be mitigated by setting either the system property
log4j2.formatMsgNoLookups
or the environment variableLOG4J_FORMAT_MSG_NO_LOOKUPS
totrue
. - For releases >=2.7 and <=2.14.1, all
PatternLayout
patterns can be modified to specify the message converter as%m{nolookups}
instead of just%m
. - For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove the
JndiLookup
class from the classpath:zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
.