利用 Java 的沙箱缓解 CVE-2021-44228(log4j2 远程代码执行)?
[英]Leveraging Java's sandbox to mitigate CVE-2021-44228( log4j2 remote code execution)?
问题描述
The java-security-manager-deprecation not withstanding JEP-411 (Deprecate the Security Manager for Removal) , would enabling sandbox mechanism by leveraging the java security-manager (and associated class-loading mechanisms) be a good approach? 
java-security-manager-deprecation 不支持 JEP-411(弃用安全管理器以进行删除) ,是否会通过利用 java 安全管理器(和相关的类加载机制)来启用沙盒机制是一个好方法吗?
As I understand it (and mentioned in the JEP-411 as well), they were originally intended to do just that - keep applets from running rogue code.据我了解(在 JEP-411 中也提到过),它们最初的目的就是为了做到这一点——阻止小程序运行恶意代码。
So the most reliable technique, spanning across libraries (since the same vulnerability can be introduced theoretically in any open-source library), would be to enable the sandbox mechanism?那么跨库(因为理论上可以在任何开源库中引入相同的漏洞)最可靠的技术是启用沙盒机制吗?
This way the remote code would end up being loaded from the temp-dir or some non-approved location.这样,远程代码最终会从临时目录或某些未经批准的位置加载。 Thus it would help keep applications safe inherently rather than rely on external mechanisms to protect the application.因此,它将有助于保持应用程序的内在安全,而不是依赖外部机制来保护应用程序。
Is my understanding correct?我的理解正确吗?
1 个解决方案
解决方案1
-1 2022-06-08 21:51:44
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.