stackoom
  简体   繁体   中英

How to Avoid Log4J exploit

 原文  2021-12-13 06:27:10       java/ log4j2

Question

There is a serious security flaw in Log4J that has apparently been patched. But I have not found an intelligible explanation as to how there could even be a security flaw in a logging framework.

It seems to have something to do with "Lookups". https://logging.apache.org/log4j/2.x/manual/lookups.html

But that is in a config file, not a log file that could be injected into?

Question. How do I kill all clever stuff once and for all to prevent any future exploits? I just want logging.

It smells like I need to remove any "$" signs but that is just a guess. (One should also remove any \ns to avoid log file spoofing. I always write a very simple wrapper for the logging to be able to do this sort of thing.)

2 answers

solution1
 2  2021-12-13 10:42:30

The only way to prevent vulnaribilites caused by lookups is to disable them completely.

According to log4j2 team, the way to do that is by appending Java parameter

-Dlog4j2.formatMsgNoLookups=true

Unfortunately, the lookups are applied to the logged sequence, even if you use parameters or log exception stack traces. The lookups sequeces in your code are not dangerous, because they are controllable. But those that come from user are not predictable. If you log 'wrong username: xxx', you have no idea, what the user can type to exploit another vulnaribility.

However, you can't be sure there are no other grave errors in the framework, so switching to other logging framework is reasonable.

A good candidate is Logback , which is started by the original author of the Log4j. The developer states clearly, his framework has nothing to do with the security issues introduced in Log4j2:

Unless specified otherwise, when we say log4j we mean log4j 1.x. We should also like to emphasize that logback is unrelated to log4j 2.x. It does not share code nor vulnerabilities with log4j 2.x.

solution2
 0  2021-12-13 12:54:55

For security issues like this one it makes sense to keep the up to date information in a single place.

Please refer to the official Log4j information about this vulnerability here: https://logging.apache.org/log4j/2.x/security.html The document states several mitigation measures applicable for different versions of Log4j.

I realize that in general the StackOverflow convention is to have explicit steps and examples in the answer here on StackOverflow, rather than link to external documentation, but I believe that sensitive security flaws should be an exception.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question log4j exploit - is it still vulnerable if log4j is maintained in classpath but not actually used in code? log4j how to avoid “unknown source” message How to avoid Hibernate and JDBC logging in log4j logger How to avoid log4j output external modification How to configurate Log4j to avoid consecutive logs with same content? how to properly configure gradle build to avoid including log4j and slf4j from the resulting jar? Avoid Log4j/Slf4j debug enabled checks LOG4J - Avoid same message two times in log How to log AJAX Errors with Log4J How to log warn only in log4j
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM