Another major bug in Log4j2, the fastest release in open source history - three in two weeks

I. Introduction to the framework

Apache Log4j 2 is an excellent Java logging framework. The tool rewrites the Log4j framework and introduces a number of rich features. The logging framework is widely used in business system development to record log information.

Ii. List of vulnerabilities

Because Apache Log4j2 has some recursive parsing functions, attackers can directly construct malicious requests and trigger remote code execution vulnerabilities. Cve-cve-2021-44228 (mitre.org)
Security firm Praetorian found a more serious vulnerability in 2.15.0, the information breach vulnerability, which can be used to download data from affected servers. (Log4j 2.15.0 stills allows for exfiltration of sensitive data-praetorian)
Apache Log4j2 version 2.0- Alpha1 to 2.16.0 does not prevent uncontrolled recursion of self-reference lookups. When the logging configuration uses a non-default mode layout with context lookup (for example, $${CTX :loginId}), an attacker controlling thread context mapping (MDC) input data can make malicious input data that contains recursive lookup, causing StackOverflowError to terminate the process. This is also called a DOS (denial of service) attack. Cve-cve-2021-45046 (mitre.org)

Three, the scope of influence

Apache Log4j 2.x above

4. Repair measures

You are advised to check whether Java applications import the log4J-API and log4j-core jars. If the two jars are used, they may be affected. You are strongly advised to protect the affected users as soon as possible.

4.1 Upgrading Apache Log4j 2 Apply all related files to the latest log4J-2.17.0-rC1

Release log4J-2.17.0-rc1 · Apache /logging-log4j2 · GitHub

4.2 Upgrading affected applications and components, for example:

1. spring-boot-strater-log4j2
2.  Apache Solr
3.  Apache Flink
4.  Apache Druid
Copy the code

V. Emergency mitigation measures

If it is too late to update the fix, you can use the following methods to alleviate the problem immediately

(1) to modify the JVM parameter – Dlog4j2. FormatMsgNoLookups = true

(2) modify configuration: log4j2 formatMsgNoLookups = True

Set the system environment variable FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS to true

Six, thank

Hard log4J2 community defenders, overtime work, selfless dedication!

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Another major bug in Log4j2, the fastest release in open source history – three in two weeks

I. Introduction to the framework

Ii. List of vulnerabilities

Three, the scope of influence

4. Repair measures

4.1 Upgrading Apache Log4j 2 Apply all related files to the latest log4J-2.17.0-rC1

4.2 Upgrading affected applications and components, for example:

V. Emergency mitigation measures

Six, thank

Another major bug in Log4j2, the fastest release in open source history – three in two weeks

I. Introduction to the framework

Ii. List of vulnerabilities

Three, the scope of influence

4. Repair measures

4.1 Upgrading Apache Log4j 2 Apply all related files to the latest log4J-2.17.0-rC1

4.2 Upgrading affected applications and components, for example:

V. Emergency mitigation measures

Six, thank

Related Posts

The modes and quantiles of the Pandas series

Let’s talk a little bit about paxOS

Build Restful Web services