有 Java 编程相关的问题?

你可以在下面搜索框中键入要查询的问题!

java log4j1漏洞是log4j1。2.17易受攻击(在源代码中找不到任何jndi代码)?

关于已确定的log4j jndi远程代码执行漏洞CVE-2021-44228(另请参阅参考资料),我想知道Log4j-v1.2是否也受到影响,但我从源代码审查中得到的最接近的漏洞是JMS-Appender

问题是,虽然互联网上的帖子表明Log4j-1.2也易受攻击,但我无法找到相关的源代码

我是否遗漏了其他人已经确认的东西

Log4j1。2在socket-server类中似乎有一个漏洞,但我的理解是,首先需要启用该漏洞,才能使其适用,因此它不是一个被动的威胁,不像所识别的jndi查找漏洞

是我的理解-Log4j-v1。2-不易受到jndi远程代码执行错误的攻击是否正确

参考资料-

https://logging.apache.org/log4j/2.x/security.html

https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/

https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html

https://portswigger.net/daily-swig/log4shell-vulnerability-poses-critical-threat-to-applications-using-ubiquitous-java-logging-package-apache-log4j

更新#1-此blog post from cloudflare还指示与AKX相同的点。。。。它是从log4j2引入的


共 (4) 个答案

  1. # 1 楼答案

    虽然不受完全相同的log4shell问题的影响,apache log4j team建议从jar文件中删除JMSAppenderSocketServer,这两个文件在CVE-2019-17571中存在漏洞

    您可以使用zip命令删除受影响的类,将文件名/版本替换为您的:

    zip -d log4j-1.2.16.jar org/apache/log4j/net/JMSAppender.class
    zip -d log4j-1.2.16.jar org/apache/log4j/net/SocketServer.class
    

    你可以使用less和grep浏览zip中的文件,例如less log4j-1.2.16.jar | grep JMSAppender

    尽管如此,Apache建议您升级到2。如果可能,请选择x版本。根据their security page

    Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.

  2. # 2 楼答案

    除了@giraffesyo给出的答案,为了防止它对任何人都有帮助——我写了这个bash脚本——它删除了被识别为漏洞的类(linkhere to Log4j dev thread),并设置属性文件为只读——正如建议的那样here on redhat bugzilla thread

    注1——它不检查这些类在属性中的任何使用情况——这纯粹是一种查找和删除的方式——使用风险自负

    注2:这取决于安装的zip和unzip

    #!/bin/bash
    
    DIR=$1
    APPLY=$2
    
    # Classes to be searched for/removed
    CLASSES="org/apache/log4j/net/SimpleSocketServer.class
    org/apache/log4j/net/SocketServer.class
    org/apache/log4j/net/JMSAppender.class"
    
    
    PROGNAME=`basename $0`
    PROGPATH=`echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,'`
    
    usage () {
        echo >&2 Usage: ${PROGNAME} DIR [APPLY]
        echo >&2        Where DIR is the starting directory for find
        echo >&2        and   APPLY = "Y" - to perform purification
        exit 1
    }
    
    # force upper case on Apply
    APPLY=$(echo "${APPLY}" | tr '[:lower:]' '[:upper:]')
    
    # Default Apply to N
    if [ "$APPLY" == "" ] ; then
       APPLY="N"
    fi
    
    # Check parameters
    if [ "$DIR" == "" ] ; then
       usage
    fi
    echo $APPLY | grep -q -i -e '^Y$' -e '^N$' || usage
    
    # Search for log4j jar files - for class file removal
    FILES=$(find $DIR -name *log4j*jar)
    for f in $FILES
    do
       echo "Checking Jar [$f]"
    
       for jf in $CLASSES
       do
          unzip -v $f | grep -e "$jf"
          if [ "$APPLY" = "Y" ]
          then
             echo "Deleting $jf from $f"
             zip -d $f $jf
          fi
       done
    done
    
    # Search for log4j properties files - for read-only setting
    PFILES=$(find $DIR -name *log4j*properties)
    for f in $PFILES
    do
       echo "Checking permissions [$f]"
    
       if [ "$APPLY" = "Y" ]
       then
          echo "Changing permissons on $f"
          chmod 444 $f
       fi
    
       ls -l $f
    done
    
  3. # 3 楼答案

    注意log4j1。x不再受支持,并且在这个版本中存在一个与Log4Shell相关的错误,名为CVE-2021-4104