[英]Can Apache HTTP Server allow reverse shelling thanks to the new Log4j vulnerability?
I have an Apache HTTP Server installed on a Centos 8 machine, I would like to know if it uses the Log4j library by virtue of the new vulnerability discovered that is compromising many servers on the web. 如果是这样,解决的程序是什么? From my analysis I could see from the repository (svn.apache.org/repos/asf/httpd/httpd/) that the language used is C, XML so I imagine that it does not use Log4j for tracking the logs, but projects those与有源模块有关。 谢谢你。
不, Apache httpd和Apache log4j除了都由 ZE9713AE04A02A827 基金会发布之外没有任何共同点。
Apache log4j由 Java 编写的软件使用。Apache httpd没有写在 Java 中。Apache httpd不使用 Apache log4j。Apache httpd不受CVE-2021-44228 约束。 Note that an Apache httpd instance could be used as a reverse proxy in front of an http server using Java and log4j, but that's like saying a router is vulnerable because there's a server somewhere behind it that is.
您还可以在使用 log4j 的盒子上运行其他软件,但这不会是Apache httpd直接。
There's a lot of confusion around because many people call Apache httpd just Apache (for historical reasons), but Apache is the foundation which publishes Apache httpd and Apache log4j (and dozens of other projects).
在单个 apache 服务器上具有 Log4j 日志文件的多个 webapp
[英]multiple webapp with Log4j log file on a single apache server
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.