阅读本文约花费您5分钟,修复应用漏洞刻不容缓!
1 、以数据之名 简介
- 今日头条、微信公众号、知乎和掘金,主体均为“以数据之名”;
- 欢迎关注,留言交流;
- 本文主要针对近期Apache Log4j 5连环漏洞,做修复策略实践经验总结。
2 、Log4j 漏洞综述
【安全通告-高危】Apache Log4j 五连环安全漏洞 |
【综述】 CVE-2021-44832:在某些特殊场景下(如系统采用动态加载远程配置文件的场景等),有权修改日志配置文件的攻击者可以构建恶意配置,通过JDBC Appender 引用JNDI URI 数据源触发JNDI 注入,成功利用此漏洞可以实现远程代码执行。 |
【影响范围】 CVE-2021-44228: CVE-2021-44832:2.0-beta7 <= Apache Log4j2 <= 2.17.0 |
【漏洞影响】攻击者可利用上述漏洞,成功在目标服务器上执行任意代码及发起拒绝攻击。 |
【处置建议】升级至: |
【处置时间】建议30天内修复完成 |
3 、Log4j 依赖 Jdk 版本
3.1 Jdk 1.6 应用
Log4j 版本 | 修复状态 | 备注 |
2.0.x~2.3 | 未修复 | |
2.3.2 | 已修复 | 推荐 Jdk1.6 版本的应用,升级到该版本 |
3.2 Jdk 1.7 应用
Log4j 版本 | 修复状态 | 备注 |
2.4~2.12.1 | 未修复 | |
2.12.2 | 未完全修复 | 已修复JNDI漏洞,其他未修复 |
2.12.3 | 未完全修复 | 已基本修复,但不完全 |
2.12.4 | 已修复 | 推荐 Jdk1.7 版本的应用,升级到该版本 |
3.3 Jdk 1.8 应用
Log4j 版本 | 修复状态 | 备注 |
2.13.0~2.14.1 | 未修复 | |
2.15.0 | 未完全修复 | 已修复JNDI漏洞,其他未修复 |
2.16.0 | 未完全修复 | 已修复JNDI漏洞和Lookup漏洞,其他未修复 |
2.17.0 | 已修复 | 修复MDC递归循环依赖漏洞 |
2.17.1 | 已修复 | 推荐 Jdk1.8 版本的应用,升级到该版本 |
4 、Jdk 1.8 应用升级
4.1 Maven 依赖替换
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.17.1</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.1</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-1.2-api</artifactId>
<version>2.17.1</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-jcl</artifactId>
<version>2.17.1</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-jul</artifactId>
<version>2.17.1</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.17.1</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.25</version>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>com.lmax</groupId>
<artifactId>disruptor</artifactId>
<version>3.4.2</version>
</dependency>
</dependencies>4.2 Ivy 依赖替换
<dependencies>
<dependency org="org.apache.logging.log4j" name="log4j-api" conf="zip->default" rev="2.17.1" />
<dependency org="org.apache.logging.log4j" name="log4j-core" conf="zip->default" rev="2.17.1" />
<dependency org="org.apache.logging.log4j" name="log4j-1.2-api" conf="zip->default" rev="2.17.1" />
<dependency org="org.apache.logging.log4j" name="log4j-jcl" conf="zip->default" rev="2.17.1" />
<dependency org="org.apache.logging.log4j" name="log4j-jul" conf="zip->default" rev="2.17.1" />
<dependency org="org.apache.logging.log4j" name="log4j-slf4j-impl" conf="zip->default" rev="2.17.1" />
<dependency org="org.slf4j" name="slf4j-api" conf="zip->default" rev="1.7.25" />
<dependency org="commons-logging" name="commons-logging" conf="zip->default" rev="1.2" />
<dependency org="com.lmax" name="disruptor" conf="zip->default" rev="3.4.2" />
</dependencies>5 、非 Jdk 1.8 应用升级
5.1 jdk 1.7 maven依赖替换
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.12.4</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.12.4</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-1.2-api</artifactId>
<version>2.12.4</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-jcl</artifactId>
<version>2.12.4</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-jul</artifactId>
<version>2.12.4</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.12.4</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.25</version>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>com.lmax</groupId>
<artifactId>disruptor</artifactId>
<version>3.4.2</version>
</dependency>
</dependencies>5.2 jdk 1.6 maven依赖替换
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.3.2</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.3.2</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-1.2-api</artifactId>
<version>2.3.2</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-jcl</artifactId>
<version>2.3.2</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-jul</artifactId>
<version>2.3.2</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.3.2</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.25</version>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>com.lmax</groupId>
<artifactId>disruptor</artifactId>
<version>3.3.2</version>
</dependency>
</dependencies>6 、Log4j 漏洞修复其他问题
6.1 com.lmax的disruptor的版本兼容性问题
- Log4j 的2.12.2和2.16.0版本选用disruptor-3.4.2版本。
- Log4j 的2.3版本选用disruptor-3.3.2版本。
6.2 DocumentBuilderFactory.setFeature找不到的问题
引入如下依赖,并且删除其他xerces的包,保留如下包即可
<dependencies>
<dependency>
<groupId>xerces</groupId>
<artifactId>xerceslmpl</artifactId>
<version>2.12.1</version>
</dependency>
<dependency>
<groupId>xml-apis</groupId>
<artifactId>xml-apis</artifactId>
<version>1.4.01</version>
</dependency>
</dependencies>6.3 Invalid byte tag in constant pool: 19异常
此异常是Tomcat版本低的原因,可以升级Tomcat8版本。对应用可用性无影响。解决SEVERE:Unableto process Jar entry [module-info.class] from Jar [jar:file:/opt/oracle/tomcat/webapps/app-sys/WEB-INF/lib/jackson-annotations.jar!/] for annotations org.apache.tomcat.util.bcel.classfile.ClassFormatException:Invalidbytetagin constant pool: 19
小编心声
虽小编一己之力微弱,但读者众星之光璀璨。小编敞开心扉之门,还望倾囊赐教原创之文,期待之心满于胸怀,感激之情溢于言表。一句话,欢迎联系小编投稿您的原创文章!
让我们携手成为技术专家
欢迎关注,欢乐交流,共同成长
参考资料
[1] 数据仓库集锦 : https://mp.weixin.qq.com/s/g28mTshrGHE5XGGVn-qPAA
[2] Log4j 官方说明: https://logging.apache.org/log4j/2.x/download.html
[3] Log4j 漏洞清单: https://logging.apache.org/log4j/2.x/
[4] Log4j maven仓库: https://mvnrepository.com/artifact/org.apache.logging.log4j