共 (1) 个答案

1. # 1 楼答案

   我们应该将log4j升级到版本2.15.0（可从^{}获得）As per the security notes (^{})，该漏洞已在2.15.0中修复

   “安全说明”还列出了在（当前）不允许升级的情况下减少利用漏洞的措施：

   Mitigation: In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

   如果我们使用的spring-boot-starter-logging没有额外的配置，我们不会受到影响。有关详细信息，请参阅spring-boot infromation on the issue (^{})

   类似地，我们在使用quarkus时不会受到影响，只要我们不显式添加log4j依赖项。见the corresponding github issue (^{})