log4j團隊註意到了安全漏洞CVE-2021-44228,這個問題已經在 Log4j 2.15.0版本裏修復了。
Log4j’s JNDI支持沒有限定哪個名字可以被用,壹些協議是非安全的,可能會被允許遠程代碼執行。log4j現在限制了只有java、ldap和ladps可以使用此協議,並且限制了ldap協議只能在本地訪問java的私有對象。
由於log4j允許在日誌消息裏查找,這個場景可能會導致漏洞爆出。在log4j 2.15.0裏這個特性被默認禁用了。盡管提供了啟動查找的方式,用戶依然強烈反對啟用它。
對於無法升級到2.15.0的,並且版本>=2.10的,這個漏洞可以通過設置jvm參數 log4j2.formatMsgNoLookups 或者環境變量 LOG4J_FORMAT_MSG_NO_LOOKUPS 為true的方法去減輕問題。對於 2.0-beta9 to 2.10.0,可以通過移除 JndiLookup 類的方式減輕,命令為:zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class。
以下為英文全文
The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.15.0.
Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution. Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects by default served on the local host.
One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. As of Log4j 2.15.0 this feature is now disabled by default. While an option has been provided to enable Lookups in this fashion, users are strongly discouraged from enabling it.
For those who cannot upgrade to 2.15.0, in releases >=2.10, this vulnerability can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true . For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class .
鏈接地址:https://logging.apache.org/log4j/2.x/