V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
plasmetoz
V2EX  ›  Java

关于现在的 log4j2 漏洞的系统变量缓解方法

  •  
  •   plasmetoz · 2021-12-10 16:06:26 +08:00 · 4049 次点击
    这是一个创建于 1077 天前的主题,其中的信息可能已经有所发展或是发生改变。
    我查到的是

    临时缓解措施:
    1. 禁止没有必要的业务访问外网
    2. 使用 jvm 参数启动 -Dlog4j2.formatMsgNoLookups=true
    3. 设置 log4j2.formatMsgNoLookups=True
    4. 系统环境变量中将 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 设置为 true

    但是我测试 4 在 linux 下 export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true 好像不起作用,查看 log4j2 的代码里面

    @Deprecated
    public static final boolean FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS = PropertiesUtil.getProperties().getBooleanProperty("log4j2.formatMsgNoLookups", true);

    似乎也只是变量名称。。。是我理解错了吗?
    12 条回复    2021-12-12 14:30:17 +08:00
    vast0906
        1
    vast0906  
       2021-12-10 16:09:13 +08:00
    官方的 release 包似乎正在发布
    plasmetoz
        2
    plasmetoz  
    OP
       2021-12-10 16:10:55 +08:00
    @vast0906 #1 是,但是现在打算先紧急维护一下,以为方法 4 用了以后把 java 服务全重启一下就行了,结果好像不行
    zhady009
        3
    zhady009  
       2021-12-10 16:18:32 +08:00   ❤️ 1
    可以试试改 pattern 把%m 或者%msg 改成%m{nolookup}
    cheng6563
        4
    cheng6563  
       2021-12-10 16:24:24 +08:00   ❤️ 2
    用这个吧 JAVA_TOOL_OPTIONS=-Dlog4j2.formatMsgNoLookups=true
    plasmetoz
        5
    plasmetoz  
    OP
       2021-12-10 16:29:44 +08:00
    @cheng6563 #4 多谢,这个看起来可以
    wbd31
        6
    wbd31  
       2021-12-10 16:54:00 +08:00   ❤️ 1
    formatMsgNoLookups 这个参数是 2.10 版本才加上的,对于之前同样受漏洞影响的版本无效
    silverfox
        7
    silverfox  
       2021-12-11 01:20:33 +08:00   ❤️ 1
    @zhady009 这里少了一个 s ,应该是改为 %m{nolookups}
    huage
        8
    huage  
       2021-12-11 21:42:20 +08:00
    Remediation Advice:

    This issue was remediated in Log4J v2.15.0. The Apache Logging Services team provides the following mitigation advice:

    In previous releases (>=2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 protects against RCE by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".

    You can manually check for use of affected versions of Log4J by searching your project repository for Log4J use, which is often in a pom.xml file.

    Where possible, upgrade to Log4J version 2.15.0. If you are using Log4J v1 there is a migration guide available.

    Please note that Log4J v1 is End Of Life (EOL) and will not receive patches for this issue. Log4J v1 is also vulnerable to other RCE vectors and we recommend you migrate to Log4J 2.15.0 where possible.

    If upgrading is not possible, then ensure the -Dlog4j2.formatMsgNoLookups=true system property is set on both client- and server-side components.
    troywinter
        9
    troywinter  
       2021-12-11 23:27:42 +08:00
    JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector. In these versions com.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load a remote codebase using LDAP.
    44670
        10
    44670  
       2021-12-12 03:00:50 +08:00
    LOG4J_FORMAT_MSG_NO_LOOKUPS=true 似乎也可以
    https://logging.apache.org/log4j/2.x/security.html

    感觉 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 是国内的以讹传讹。
    44670
        12
    44670  
       2021-12-12 14:30:17 +08:00
    @Kaiv2 看来是 log4j 的文档就写错了,好怪。
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   1337 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 26ms · UTC 23:46 · PVG 07:46 · LAX 15:46 · JFK 18:46
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.