影响的版本范围:Apache Log4j 2.x <= 2.14.1
当发现网上爆出log4j2出现漏洞时,自己也做了测试,确实是非常严重的问题。同时,测试了slf4j包,未出现类似的漏洞
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
private static final Logger logger = LoggerFactory.getLogger(Test.class);//slf4j
一、解决方法:
升级log4j2包的版本,升级到2.15.0
用到 Log4j2 的话请尽快升级版本
二、来不及更新版本修复,可通过下面的方法紧急缓解问题:
1.修改jvm参数 -Dlog4j2.formatMsgNoLookups=true
2.修改配置:log4j2.formatMsgNoLookups=True
3.将系统环境变量 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 设置为 true
三、漏洞
1. log4j官网lookups
https://logging.apache.org/log4j/2.x/manual/lookups.html
比如:
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
public class Test {
private static final Logger logger = LogManager.getLogger(Test.class);//log4j
public static void main(String[] args) {
//参数
//String user = "{name:张三,age:14}";
//带有$符号的参数
// String user = "${java:vm}";
// String user = "${java:version}";
// String user = "${java:runtime}";
// String user = "${java:os}";
// String user = "${java:oracle}";
String user = "${java:hw}";
logger.info("user:{}",user);
}
}
2.通过JNDI注入漏洞,黑客可以恶意构造特殊数据请求包,触发此漏洞
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
public class Test {
private static final Logger logger = LogManager.getLogger(Test.class);//log4j
public static void main(String[] args) {
//jndi
String user = "${jndi:rmi://127.0.0.1:1099/example}";
logger.info("user:{}",user);
}
}