Log4j 1：如何在不更新版本到 2.15.0 的情况下缓解 log4j 中的漏洞

Question

I am using log4j 1.2.16. I am using this with maven selenium testng java project. I am looking for a solution without upgrading the version of log4j.

<dependency>
    <groupId>log4j</groupId>
    <artifactId>log4j</artifactId>
    <version>1.2.16</version>
</dependency>

Answer 1

Since you're using log4j 1, the specific vulnerability is not present there. See http://slf4j.org/log4shell.html :

Is log4j 1.x vulnerable? As log4j 1.x does not offer a look-up mechanism, it does not suffer from CVE-2021-44228. However, note that log4j 1.x is no longer being maintained. Thus, we urge you to migrate to one of its successors such as SLF4J and logback. Do migrate without delaying too much. Given that log4j version 1,x is still very widely deployed. we have been receiving a steady stream of questions regarding the vulnerability of log4j version 1.x.

As log4j 1.x does not offer a look up mechanism, it does not suffer from CVE-2021-44228.

Having said this, log4j 1.x is no longer being maintained with all the entailed security implications. Thus, we definitely urge you to migrate to one of its successors such as SLF4J/logback, sooner rather than later. But do migrate without waiting for months. Also note that tools exist to automate the migration.

Answer 2

The other answer is not correct. There is also a vulnerability for Version 1.x. CVE-2021-4104 https://access.redhat.com/security/cve/CVE-2021-4104 :

A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker's JMS Broker.

For the mitigation of this vulnerability:

These are the possible mitigations for this flaw for releases version 1.x:

• Comment out or remove JMSAppender in the Log4j configuration if it is used
• Remove the JMSAppender class from the classpath. For example:

zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class

• Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.

Answer 3

Safest solution is an update to log4j2 2.17.0 version.

use this dependency

<dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-core</artifactId>
            <version>2.17.0</version>
</dependency>

Add log4j2.xml file in src/main/resources or src/test/resources.

log4j2.xml

<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="INFO">
    <Appenders>
        <Console name="Console" target="SYSTEM_OUT">
            <PatternLayout pattern="%d [%t] %-5level %logger{36} (%F:%L)- %msg%n" />
        </Console>
        <File name="MyFile" fileName="trace.log" immediateFlush="true" append="true">
            <PatternLayout pattern="%d [%t] %-5level %logger{36} (%F:%L)- %msg%n"/>
        </File>
    </Appenders>
    <Loggers>
        <Root level="info">
            <AppenderRef ref="Console" />
            <AppenderRef ref="MyFile"/>
        </Root>
    </Loggers>
</Configuration>

Imports needed

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

Usage in java class

@BeforeClass
    public void generateLog() throws URISyntaxException {
        Logger logger = LogManager.getLogger(Base.class);
    }

Answer 4

I use this command: zip -d /home/server-cliet.jar BOOT-INF/lib/log4j-1.2.17.jar/org/apache/log4j/net/JMSAppender.class

(log4j-1.2.17.jar is the dependent jar of server-cliet.jar)

it's not working, can anyone help?