发布于 3个月前

Log4j发布2.7.0,解决Dos攻击安全漏洞CVE-2021-45105

漏洞说明

官方发布信息如下:

Important: Security Vulnerability CVE-2021-45105

The Log4j team has been made aware of a security vulnerability, CVE-2021-45105, that has been addressed in Log4j 2.17.0 for Java 8 and up.

Summary: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.

Details

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.

Mitigation

From version 2.17.0 (for Java 8), only lookup strings in configuration are expanded recursively; in any other usage, only the top-level lookup is resolved, and any nested lookups are not resolved.

In prior releases this issue can be mitigated by ensuring your logging configuration does the following:

  • In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId}or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
  • Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.

影响版本:2.0-alpha1 至 2.16.0

如官方发布的信息,当日志配置是非默认的Pattern Layout中带有Context Lookups,如$${ctx:loginId}时,攻击者可以制作包含递归查找的恶意输入数据 ,导致 StackOverflowError 将终止进程。 这也称为 DOS(拒绝服务)攻击

解决方案

主要涉及的报时log4j-core,maven升级为2.17.0配置:

<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.17.0</version>
</dependency>
<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-api</artifactId>
    <version>2.17.0</version>
</dependency>
<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-slf4j-impl</artifactId>
    <version>2.17.0</version>
</dependency>
<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-jul</artifactId>
    <version>2.17.0</version>
</dependency>

临时解决方案

在官方发布的信息里提到了两种躲避方案:

  • 在 PatternLayout 中,用 %X、%mdc 或 %MDC 来替换 ctx: loginId 或 {ctx:loginId} 或ctx:loginId或${ctx:loginId} 等Context Lookups
  • 在使用外部数据,如HTTP Header或用户输入等的地方,不要使用Context Lookups的引用(如 ${ctx:loginId} 或 $${ctx:loginId} )
©2020 edoou.com   京ICP备16001874号-3