[英]JAVA formatMsgNoLookups option (CVE-2021-44228)
When I run当我跑
$ java -XX:+UnlockDiagnosticVMOptions -XX:+PrintFlagsFinal -version | grep -i formatMsgNoLookups
I get no formatMsgNoLookups option in output.我在 output 中没有得到 formatMsgNoLookups 选项。 Does it mean I am not vulnerable to CVE-2021-44228?
这是否意味着我不容易受到 CVE-2021-44228 的攻击?
You are conflating things.你把事情混为一谈。
log4j2.formatMsgNoLookups
is a system property which is picked up by the log4j2 logging library. log4j2.formatMsgNoLookups
是一个由 log4j2 日志库获取的系统属性。 It is not a JVM flag and won't be printed by -XX:+PrintFlagsFinal
.它不是 JVM 标志,不会由
-XX:+PrintFlagsFinal
打印。 If it is enabled, then log4j2 doesn't perform lookups from the format message, which mitigates the vulnerability by disabling this attack vector.如果启用,则 log4j2 不会从格式消息中执行查找,从而通过禁用此攻击向量来缓解漏洞。
You can only be vulnerable to CVE-2021-44228 if you are actually using log4j2 in your Java application.只有在 Java 应用程序中实际使用 log4j2 时,您才会容易受到 CVE-2021-44228 的攻击。 Let me repeat that: your application is what's vulnerable, not the Java or the JVM itself.
让我重复一遍:您的应用程序是易受攻击的,而不是 Java 或 JVM 本身。 On the same JVM, one application can be vulnerable, while another isn't.
在同一个 JVM 上,一个应用程序可能易受攻击,而另一个应用程序则不然。
(And if it were, the absence of it would rather indicate the opposite: you are vulnerable) (如果是的话,没有它反而表明相反:你很脆弱)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.