周末Log4j官方又发布了新版本:2.17.0
该版本主要修复安全漏洞:CVE-2021-45105
Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many of the improvements available in Logback while fixing some inherent problems in Logback’s architecture.
Important: Security Vulnerability CVE-2021-45105
The Log4j team has been made aware of a security vulnerability, CVE-2021-45105, that has been addressed in Log4j 2.17.0 for Java 8 and up.
Summary: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.
Details
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.
Mitigation
From version 2.17.0 (for Java 8), only lookup strings in configuration are expanded recursively; in any other usage, only the top-level lookup is resolved, and any nested lookups are not resolved.
In prior releases this issue can be mitigated by ensuring your logging configuration does the following:
- In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId}or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
- Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.
Reference
Please refer to the Security page for details and mitigation measures for older versions of Log4j.
影响版本:2.0-alpha1 至 2.16.0(1.x用户继续忽略)该漏洞只有当日志配置使用带有Context Lookups的非默认 Pattern Layout(例如 $${ctx:loginId})时,攻击者可以通过构造包含递归查找的恶意输入数据,触发无限循环,导致 StackOverflowError,最终进程崩溃。这次漏洞受影响的只有log4j-core,仅使用log4j-api的程序不需要担心。所以,大家可以通过升级log4j-core来修复该漏洞的
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.0</version>
</dependency>
