JAVA formatMsgNoLookups 选项 (CVE-2021-44228)
[英]JAVA formatMsgNoLookups option (CVE-2021-44228)
问题描述
When I run
当我跑
$ java -XX:+UnlockDiagnosticVMOptions -XX:+PrintFlagsFinal -version | grep -i formatMsgNoLookups
I get no formatMsgNoLookups option in output.我在 output 中没有得到 formatMsgNoLookups 选项。 Does it mean I am not vulnerable to CVE-2021-44228?这是否意味着我不容易受到 CVE-2021-44228 的攻击?
1 个解决方案
解决方案1
1 已采纳 2021-12-12 10:35:53
You are conflating things.你把事情混为一谈。 log4j2.formatMsgNoLookups is a system property which is picked up by the log4j2 logging library. log4j2.formatMsgNoLookups是一个由 log4j2 日志库获取的系统属性。 It is not a JVM flag and won't be printed by -XX:+PrintFlagsFinal .它不是 JVM 标志,不会由-XX:+PrintFlagsFinal打印。 If it is enabled, then log4j2 doesn't perform lookups from the format message, which mitigates the vulnerability by disabling this attack vector.如果启用,则 log4j2 不会从格式消息中执行查找,从而通过禁用此攻击向量来缓解漏洞。
You can only be vulnerable to CVE-2021-44228 if you are actually using log4j2 in your Java application.只有在 Java 应用程序中实际使用 log4j2 时,您才会容易受到 CVE-2021-44228 的攻击。 Let me repeat that: your application is what's vulnerable, not the Java or the JVM itself.让我重复一遍:您的应用程序是易受攻击的,而不是 Java 或 JVM 本身。 On the same JVM, one application can be vulnerable, while another isn't.在同一个 JVM 上,一个应用程序可能易受攻击,而另一个应用程序则不然。
(And if it were, the absence of it would rather indicate the opposite: you are vulnerable) (如果是的话,没有它反而表明相反:你很脆弱)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.