After last week’s 2.16.0 update to Log4j2, we thought we were all done with the bug fixes.

Over the weekend, Log4j officially released a new version: 2.17.0

This release mainly fixes the security vulnerability: CVE-2021-45105

Affected versions: 2.0- Alpha1 to 2.16.0 (1.x users continue to ignore)

This vulnerability can trigger an infinite loop by constructing malicious input data that contains recursive Lookups only if the log configuration uses a non-default Pattern Layout with Context Lookups (e.g. **$${CTX :loginId**}). A StackOverflowError results and the process crashes.

Only log4J-core is affected, so programs that use only log4J-API don’t need to worry. So, you can fix this vulnerability by updating log4J-core

<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.17.0</version>
</dependency>
Copy the code

Of course, if you are affected by Spring Boot, follow the previous configuration to fix the Log4j2 nuke vulnerability of Spring Boot project! Sharing makes it easier to upgrade. If you are learning Spring Boot, a free tutorial that has been running for years and continues to be updated is recommended.

If it is not currently convenient to upgrade the version, you can also use the following two methods to mitigate the vulnerability:

  • In the PatternLayout of the log configuration, replace the Context Lookups like ${CTX :loginId} or $${CTX :loginId} with %X, %MDC, or %MDC
  • Remove references to Context Lookups where external data (HTTP headers, user input, etc.) is used (such as ${CTX :loginId} or $${CTX :loginId})

Well, not much to say, we pay close attention to self-examination, do the necessary protective measures, for a good sleep early!

Welcome to pay attention to my public account: program ape DD, share the outside can not see the dry goods and thinking!