[英]Can Apache HTTP Server allow reverse shelling thanks to the new Log4j vulnerability?
I have an Apache HTTP Server installed on a Centos 8 machine, I would like to know if it uses the Log4j library by virtue of the new vulnerability discovered that is compromising many servers on the web. 如果是這樣,解決的程序是什么? From my analysis I could see from the repository (svn.apache.org/repos/asf/httpd/httpd/) that the language used is C, XML so I imagine that it does not use Log4j for tracking the logs, but projects those與有源模塊有關。 謝謝你。
不, Apache httpd和Apache log4j除了都由 ZE9713AE04A02A827 基金會發布之外沒有任何共同點。
Apache log4j由 Java 編寫的軟件使用。Apache httpd沒有寫在 Java 中。Apache httpd不使用 Apache log4j。Apache httpd不受CVE-2021-44228 約束。 Note that an Apache httpd instance could be used as a reverse proxy in front of an http server using Java and log4j, but that's like saying a router is vulnerable because there's a server somewhere behind it that is.
您還可以在使用 log4j 的盒子上運行其他軟件,但這不會是Apache httpd直接。
There's a lot of confusion around because many people call Apache httpd just Apache (for historical reasons), but Apache is the foundation which publishes Apache httpd and Apache log4j (and dozens of other projects).
在單個 apache 服務器上具有 Log4j 日志文件的多個 webapp
[英]multiple webapp with Log4j log file on a single apache server
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.