V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
jasondennis12139
V2EX  ›  问与答

关于 Log4j2 的王炸,各位对不能升级版本的中间件都有什么修复的方法?

  •  
  •   jasondennis12139 · 2021-12-13 09:40:35 +08:00 · 2570 次点击
    这是一个创建于 1088 天前的主题,其中的信息可能已经有所发展或是发生改变。
    9 条回复    2021-12-14 07:38:21 +08:00
    clf
        1
    clf  
       2021-12-13 09:58:15 +08:00
    不对外网开放+改环境变量。

    能够单独引入指定版本 log4j2 的项目单独引入修复的版本。
    wolfie
        2
    wolfie  
       2021-12-13 10:06:50 +08:00
    找特定版本 JDK trustURLCodebase 为 false 的。
    Depth
        3
    Depth  
       2021-12-13 10:43:17 +08:00   ❤️ 3
    coolwind1981
        4
    coolwind1981  
       2021-12-13 11:43:42 +08:00
    临时解决,设定参数:formatMsgNoLookups=true

    Temporary Mitigation​
    As per this discussion on HackerNews:

    The 'formatMsgNoLookups' property was added in version 2.10.0, per the JIRA Issue LOG4J2-2109 [1] that proposed it. Therefore the 'formatMsgNoLookups=true' mitigation strategy is available in version 2.10.0 and higher, but is no longer necessary with version 2.15.0, because it then becomes the default behavior [2][3].

    If you are using a version older than 2.10.0 and cannot upgrade, your mitigation choices are:

    Modify every logging pattern layout to say %m{nolookups} instead of %m in your logging config files, see details at https://issues.apache.org/jira/browse/LOG4J2-2109 (only works on versions >= 2.7) or,

    Substitute a non-vulnerable or empty implementation of the class org.apache.logging.log4j.core.lookup.JndiLookup, in a way that your classloader uses your replacement instead of the vulnerable version of the class. Refer to your application's or stack's classloading documentation to understand this behavior.

    参考
    https://www.lunasec.io/docs/blog/log4j-zero-day/
    ltxlouis
        5
    ltxlouis  
       2021-12-13 12:09:06 +08:00 via iPhone
    补充一个
    For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

    https://logging.apache.org/log4j/2.x/
    PiersSoCool
        6
    PiersSoCool  
       2021-12-13 14:42:08 +08:00
    如果业务运行在内网,需要很注意这个问题吗?我个人感觉是没必要啊,没有入口可以注入 LOG 吧?
    fdgdbr
        7
    fdgdbr  
       2021-12-13 15:45:46 +08:00
    @Depth 有意思
    amrom
        8
    amrom  
       2021-12-13 15:59:18 +08:00
    我提供一个思路,不知道对不对,用 nginx 来拦截输入,匹配关键字
    aragakiyuii
        9
    aragakiyuii  
       2021-12-14 07:38:21 +08:00 via iPhone
    https://github.com/Glavo/log4j-patch
    推荐 glavo 大佬的 patch
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   5924 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 34ms · UTC 02:17 · PVG 10:17 · LAX 18:17 · JFK 21:17
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.