IBM java 获取默认值(以缓解 CVE-2021-44228
[英]IBM java get defaults (to mitigate CVE-2021-44228
问题描述
how can I dump on Java (IBM Java) the default values to check default of
如何在 Java (IBM Java) 上转储默认值以检查默认值
"com.sun.jndi.rmi.object.trustURLCodebase"
"com.sun.jndi.cosnaming.object.trustURLCodebase"
something like this but for the above parameter.类似这样的东西,但对于上述参数。
java -XX:+PrintFlagsFinal -version
This is for CVE-2021-44228 mitigation review.这是为了 CVE-2021-44228 缓解审查。
Ideally this can be checked on cmd and not need to run a test code.理想情况下,这可以在 cmd 上进行检查,而无需运行测试代码。
Here my attempt of test code which doesn't show (display Null)在这里我尝试不显示的测试代码(显示空)
import java.util.Properties;
class TiloDisplay
{
public static void main(String[] args)
{
Properties prop = System.getProperties();
printProperties(prop);
}
public static void printProperties(Properties prop) {
prop.stringPropertyNames().stream()
.map(key -> key + ": " + prop.getProperty(key))
.forEach(System.out::println);
System.out.println("CVE check part ========================================== " );
System.out.println("CVE check for:: com.sun.jndi.ldap.object.trustURLCodebase: " + prop.getProperty("com.sun.jndi.ldap.object.trustURLCodebase"));
System.out.println("CVE check for:: com.sun.jndi.rmi.object.trustURLCodebase: " + prop.getProperty("com.sun.jndi.rmi.object.trustURLCodebase"));
System.out.println("CVE check for:: com.sun.jndi.cosnaming.object.trustURLCodebase: " + prop.getProperty("com.sun.jndi.cosnaming.object.trustURLCodebase"));
System.out.println("Cross Check: " + prop.getProperty("java.version"));
}
}
compile and run编译运行
javac DisplayApp.java -source 1.8 -target 1.8
java TiloDisplay
5 个解决方案
解决方案1
2 2021-12-10 19:31:10
CVE-2021-44228 creates a large attack surface depending on the imagination of the attacker and an RCE is just one of them. CVE-2021-44228 根据攻击者的想象力创造了一个巨大的攻击面,而 RCE 只是其中之一。 I would strongly advise you to avoid having a false conclusion by relying on a JVM feature targeting a certain attack vector;我强烈建议您通过依赖针对特定攻击向量的 JVM 功能来避免得出错误的结论; there are more vectors.有更多的向量。 Simply either bump log4j-core to 2.15.0 or set log4j2.formatMsgNoLookups=true system property.只需将log4j-core提升到 2.15.0 或设置log4j2.formatMsgNoLookups=true系统属性。
解决方案2
0 2021-12-11 08:27:52
Answering the letter of the question :回答问题的信:
It does not appear that the system properties in question have any value by default.默认情况下,相关系统属性似乎没有任何值。 If they did, you could check with:如果他们这样做了,您可以检查:
$ java -XshowSettings:properties -version
Note that -X flags are non-standard, though IBM Java supports this one (checked Semeru 11).请注意, -X标志是非标准的,尽管 IBM Java 支持这一标志(检查 Semeru 11)。
As for the context :至于上下文:
The implementations (in OpenJDK at least) query for the property values, defaulting to false if the properties are unset, eg 实现(至少在 OpenJDK 中)查询属性值,如果属性未设置,则默认为false ,例如
// System property to control whether classes may be loaded from an
// arbitrary URL code base
String trust = getPrivilegedProperty(
"com.sun.jndi.ldap.object.trustURLCodebase", "false");
trustURLCodebase = "true".equalsIgnoreCase(trust);
So neither -XshowSettings nor the programmatic check in the question are helpful to know for certain what behavior your JVM defaults to for these features, or if the JVM version you're running uses these properties at all if you set them explicitly.因此,问题中的-XshowSettings和编程检查都无助于确定您的 JVM 对于这些功能的默认行为,或者如果您明确设置它们,您正在运行的 JVM 版本是否使用这些属性。
I agree with @Volkan's point, but I also would like to verify that these (dangerous) JNDI features are disabled regardless of the Log4J exploit.我同意@Volkan 的观点,但我也想验证这些(危险的)JNDI 功能是否被禁用,无论 Log4J 漏洞利用如何。 Unfortunately though we need another way to do that, ideally an implementation-independent one.不幸的是,尽管我们需要另一种方法来做到这一点,理想情况下是一种独立于实现的方法。
解决方案3
0 2021-12-11 12:22:05
I would assume that turning these feature off will prevent RCE using JNDI, not just the one using Log4J2我认为关闭这些功能将阻止使用 JNDI 的 RCE,而不仅仅是使用 Log4J2 的 RCE
log4j2.formatMsgNoLookups -> set to true
"com.sun.jndi.rmi.object.trustURLCodebase" -> set to false
"com.sun.jndi.cosnaming.object.trustURLCodebase" -> set to false
Upgrade Log4J2 to 2.15 and upgrade Java to > Java 8u121将Log4J2升级到2.15并升级Java到> Java 8u121
解决方案4
0 2021-12-13 11:08:24
解决方案5
0 2021-12-15 07:25:17
The upgrade to L4J 2.15.x is not enough.升级到 L4J 2.15.x 是不够的。 There is another exploit (see https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/ ) and new version L4J 2.16 has been published already disabling default JNDI settings ( https://logging.apache.org/log4j/2.x/download.html ) and upgrade to 2.16 version is more important now.还有另一个漏洞利用(参见https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/ )并且新版本 L4J 2.16 已经发布,已经禁用默认JNDI 设置( https://logging.apache.org/log4j/2.x/download.html )现在更重要的是升级到 2.16 版本。 But there are many L4J clones, custom codes using the same L4J classes and that is why it's important to check the JVM settings especially for previous JDK versions as prior to 6u211, 7u201 and 8u191 and disable JNDI + RMI settings.但是有许多 L4J 克隆、使用相同 L4J 类的自定义代码,这就是为什么检查 JVM 设置很重要的原因,特别是对于 6u211、7u201 和 8u191 之前的 JDK 版本,并禁用 JNDI + RMI 设置。 More about it was presented on BlackHat in 2016 see https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf . 2016 年在 BlackHat 上介绍了有关它的更多信息,请参阅https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE。 pdf 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.