如何缓解 Apache Log4j 反序列化 RCE (CVE-2019-17571)
[英]How to mitigate Apache Log4j Deserialization RCE (CVE-2019-17571)
问题描述
I have upgraded my log4j-core dependency to 2.15.0 in order to prevent any potential Log4Shell attack.
我已将 log4j-core 依赖项升级到 2.15.0,以防止任何潜在的 Log4Shell 攻击。 That being said I could not upgrade slf4j-log4j12's indirect log4j dependency from 1.2.17 since the latest stable version of slf4j-log4j12 is still dependent on log4j 1.2.17.话虽如此,我无法从 1.2.17 升级 slf4j-log4j12 的间接 log4j 依赖项,因为 slf4j-log4j12 的最新稳定版本仍然依赖于 log4j 1.2.17。 This still leaves my webapp vulnerable to CVE-2019-17571 if I am not mistaken.如果我没记错的话,这仍然会使我的 webapp 容易受到CVE-2019-17571 的攻击。 So reading about possible mitigation strategies I came across this article which recommends to:因此,阅读有关可能的缓解策略的文章,我发现了这篇文章,该文章建议:
prevent the socket port enabled by the SocketServer class in Log4j from being opened to the public network
Could anyone please explain to me how can this be achieved and whether would this workaround be sufficient?谁能向我解释如何实现这一目标以及这种解决方法是否足够?
1 个解决方案
解决方案1
1 已采纳 2021-12-14 09:00:41
Only servers that receive messages from other servers are vulnerable to CVE-2019-17571 .只有从其他服务器接收消息的服务器才容易受到CVE-2019-17571 。 Basically the only way to trigger the vulnerability is to run:基本上触发漏洞的唯一方法是运行:
java -jar log4j.jar org.apache.log4j.net.SocketServer <port> <config.properties> <log/directory>
or doing the equivalent in code.或者在代码中做同样的事情。 Therefore most Log4j 1.2 users are not vulnerable.因此大多数 Log4j 1.2 用户不会受到攻击。
In your case, however, you just need to replace the slf4j-log4j12 binding with its Log4j 2.x equivalent ( log4j-slf4j-impl ) and you can remove Log4j 1.2 altogether.但是,在您的情况下,您只需将slf4j-log4j12绑定替换为其 Log4j 2.x 等效项 ( log4j-slf4j-impl ),您就可以完全删除 Log4j 1.2。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.