简体繁体 English

如何避免 Log4J 漏洞利用

[英]How to Avoid Log4J exploit

原文 2021-12-13 06:27:10 8 2 java/ log4j2

There is a serious security flaw in Log4J that has apparently been patched. Log4J 中存在一个严重的安全漏洞，该漏洞显然已被修补。 But I have not found an intelligible explanation as to how there could even be a security flaw in a logging framework.但是我还没有找到一个可以理解的解释，说明日志框架中甚至可能存在安全漏洞。

It seems to have something to do with "Lookups".它似乎与“查找”有关。 https://logging.apache.org/log4j/2.x/manual/lookups.html https://logging.apache.org/log4j/2.x/manual/lookups.html

But that is in a config file, not a log file that could be injected into?但那是在配置文件中，而不是可以注入的日志文件中？

Question.问题。 How do I kill all clever stuff once and for all to prevent any future exploits?我如何一劳永逸地杀死所有聪明的东西以防止任何未来的攻击？ I just want logging.我只想记录。

It smells like I need to remove any "$" signs but that is just a guess.闻起来像我需要删除任何“$”符号，但这只是一个猜测。 (One should also remove any \ns to avoid log file spoofing. I always write a very simple wrapper for the logging to be able to do this sort of thing.) （还应该删除任何 \ns 以避免日志文件欺骗。我总是为日志编写一个非常简单的包装器，以便能够执行此类操作。）

2 个解决方案

The only way to prevent vulnaribilites caused by lookups is to disable them completely.防止查找引起的漏洞的唯一方法是完全禁用它们。

According to log4j2 team, the way to do that is by appending Java parameter根据 log4j2 团队的说法，这样做的方法是附加 Java 参数

-Dlog4j2.formatMsgNoLookups=true

Unfortunately, the lookups are applied to the logged sequence, even if you use parameters or log exception stack traces.不幸的是，即使您使用参数或记录异常堆栈跟踪，查找也会应用于记录的序列。 The lookups sequeces in your code are not dangerous, because they are controllable.代码中的查找序列并不危险，因为它们是可控的。 But those that come from user are not predictable.但是来自用户的那些是不可预测的。 If you log 'wrong username: xxx', you have no idea, what the user can type to exploit another vulnaribility.如果您记录“错误的用户名：xxx”，您不知道用户可以键入什么来利用另一个漏洞。

However, you can't be sure there are no other grave errors in the framework, so switching to other logging framework is reasonable.但是，您不能确定框架中没有其他严重错误，因此切换到其他日志记录框架是合理的。

A good candidate is Logback , which is started by the original author of the Log4j.一个不错的候选是Logback ，它是由 Log4j 的原作者启动的。 The developer states clearly, his framework has nothing to do with the security issues introduced in Log4j2:开发者明确表示，他的框架与 Log4j2 中引入的安全问题无关：

Unless specified otherwise, when we say log4j we mean log4j 1.x.除非另有说明，当我们说 log4j 时，我们指的是 log4j 1.x。 We should also like to emphasize that logback is unrelated to log4j 2.x.我们还想强调一下，logback 与 log4j 2.x 无关。 It does not share code nor vulnerabilities with log4j 2.x.它不与 log4j 2.x 共享代码或漏洞。

For security issues like this one it makes sense to keep the up to date information in a single place.对于像这样的安全问题，将最新信息保存在一个地方是有意义的。

Please refer to the official Log4j information about this vulnerability here: https://logging.apache.org/log4j/2.x/security.html The document states several mitigation measures applicable for different versions of Log4j. Please refer to the official Log4j information about this vulnerability here: https://logging.apache.org/log4j/2.x/security.html The document states several mitigation measures applicable for different versions of Log4j.

I realize that in general the StackOverflow convention is to have explicit steps and examples in the answer here on StackOverflow, rather than link to external documentation, but I believe that sensitive security flaws should be an exception.我意识到，一般而言，StackOverflow 约定是在 StackOverflow 上的答案中有明确的步骤和示例，而不是链接到外部文档，但我认为敏感的安全漏洞应该是一个例外。