一、【紧急补救措施】
(1) 修改jvm参数 -Dlog4j2.formatMsgNoLookups=true
(2) 修改配置log4j2.formatMsgNoLookups=True
(3) 将系统环境变量 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 设置为 true
首先修改supervisor的配置文件
增加环境变量
遍历一下日志文件,看看是否有攻击
没有人攻击,很好
二、修改依赖库
【影响范围】:Java类产品:Apache Log4j 2.x < 2.15.0-rc2
可能的受影响应用及组件(包括但不限于)如下:
Apache Solr
Apache Flink
Apache Druid
Apache Struts2
srping-boot-strater-log4j2
ElasticSearch
flume
dubbo
Redis
logstash
kafka
更多组件可参考如下链接:
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/usages?p=1
不受影响版本:Apache log4j-2.15.0-rc2
首先在根pom文件直接引入依赖
<!-- 升级log4j到2.15.0版本,解决远程命令执行的bug -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.15.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.15.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.15.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-jcl</artifactId>
<version>2.15.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-jul</artifactId>
<version>2.15.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-web</artifactId>
<version>2.15.0</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jul-to-slf4j</artifactId>
<version>1.7.32</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-to-slf4j</artifactId>
<version>2.15.0</version>
</dependency>
<!-- 升级log4j到2.15.0版本,解决远程命令执行的bug -->
查找是不是引入成功了
觉得文件太长可以过滤一下
linux用grep代替findstr
在有问题的组件内加入
<exclusions>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-jul</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-jcl</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-to-slf4j</artifactId>
</exclusion>
</exclusions>
最后在idea使用show effective pom再检查
发现版本升级了
经过以上操作,大体可以暂时放心了