Log4j 漏洞 - Log4j 1.2.17 是否存在漏洞(无法在源代码中找到任何 JNDI 代码)?
Log4j vulnerability - Is Log4j 1.2.17 vulnerable (was unable to find any JNDI code in source)?
关于Log4j JNDI remote code execution vulnerability that has been identified CVE-2021-44228 - (also see references) - I wondered if Log4j-v1.2 is also impacted, but the closest I got from source code review is the JMS-Appender.
问题是,虽然互联网上的帖子表明 Log4j 1.2 也存在漏洞,但我无法找到它的相关源代码。
我是否遗漏了其他人已识别的内容?
Log4j 1.2 似乎在 socket-server class 中存在漏洞,但我的理解是需要首先启用它才能适用,因此不是被动的与已识别出的 JNDI 查找漏洞不同的威胁。
我的理解 - Log4j v1.2 - 不容易受到 jndi-remote-code 执行错误的影响是否正确?
参考资料
这个blog post from Cloudflare also indicates the same point as from AKX.....它是从Log4j 2引入的!
更新 #1 -(现已停用)apache-log4j-1 的一个分支。2.x 对旧库中发现的几个漏洞进行了补丁修复现在可用(来自原始 log4j 作者)。该站点存在 https://reload4j.qos.ch/. As of 21-Jan-2022 version 1.2.18.2 has been released. Vulnerabilities addressed to date include those pertaining to JMSAppender, SocketServer and Chainsaw 个漏洞。请注意,我只是在转发此信息。还没有从我这边验证修复。请参阅 link 了解更多详情。
JNDI 功能 was added into Log4j 2.0-beta9。
Log4j 1.x 因此没有易受攻击的代码。
虽然不受完全相同的 Log4Shell 问题的影响,Apache Log4j team recommends to remove JMSAppender and SocketServer, which has a vulnerability in CVE-2019-17571 来自您的 JAR 文件。
您可以使用 zip 命令删除受影响的 类。将 filename/version 替换为您的:
zip -d log4j-1.2.16.jar org/apache/log4j/net/JMSAppender.class
zip -d log4j-1.2.16.jar org/apache/log4j/net/SocketServer.class
您可以使用 less and grep 查看 zip 中的文件,例如less log4j-1.2.16.jar | grep JMSAppender
也就是说,Apache 建议您尽可能升级到 2.x 版本。根据their security page:
Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.
除了 and in case it helps anyone - I wrote this Bash script - which removes classes identified as vulnerabilities (link here to Log4j dev thread) and sets properties files are read-only - as suggested here on a Red Hat Bugzilla thread。
注意 1 - 它不检查这些 类 在属性中的任何使用,这纯粹是一种查找和删除的方法 - 使用风险自负!
注 2 - 这取决于正在安装的 zip 和 unzip
#!/bin/bash
DIR=
APPLY=
# Classes to be searched for/removed
CLASSES="org/apache/log4j/net/SimpleSocketServer.class
org/apache/log4j/net/SocketServer.class
org/apache/log4j/net/JMSAppender.class"
PROGNAME=`basename [=10=]`
PROGPATH=`echo [=10=] | sed -e 's,[\/][^\/][^\/]*$,,'`
usage () {
echo >&2 Usage: ${PROGNAME} DIR [APPLY]
echo >&2 Where DIR is the starting directory for find
echo >&2 and APPLY = "Y" - to perform purification
exit 1
}
# Force upper case on Apply
APPLY=$(echo "${APPLY}" | tr '[:lower:]' '[:upper:]')
# Default Apply to N
if [ "$APPLY" == "" ] ; then
APPLY="N"
fi
# Check parameters
if [ "$DIR" == "" ] ; then
usage
fi
echo $APPLY | grep -q -i -e '^Y$' -e '^N$' || usage
# Search for log4j jar files - for class file removal
FILES=$(find $DIR -name *log4j*jar)
for f in $FILES
do
echo "Checking Jar [$f]"
for jf in $CLASSES
do
unzip -v $f | grep -e "$jf"
if [ "$APPLY" = "Y" ]
then
echo "Deleting $jf from $f"
zip -d $f $jf
fi
done
done
# Search for Log4j properties files - for read-only setting
PFILES=$(find $DIR -name *log4j*properties)
for f in $PFILES
do
echo "Checking permissions [$f]"
if [ "$APPLY" = "Y" ]
then
echo "Changing permissons on $f"
chmod 444 $f
fi
ls -l $f
done
关于Log4j JNDI remote code execution vulnerability that has been identified CVE-2021-44228 - (also see references) - I wondered if Log4j-v1.2 is also impacted, but the closest I got from source code review is the JMS-Appender.
问题是,虽然互联网上的帖子表明 Log4j 1.2 也存在漏洞,但我无法找到它的相关源代码。
我是否遗漏了其他人已识别的内容?
Log4j 1.2 似乎在 socket-server class 中存在漏洞,但我的理解是需要首先启用它才能适用,因此不是被动的与已识别出的 JNDI 查找漏洞不同的威胁。
我的理解 - Log4j v1.2 - 不容易受到 jndi-remote-code 执行错误的影响是否正确?
参考资料
这个blog post from Cloudflare also indicates the same point as from AKX.....它是从Log4j 2引入的!
更新 #1 -(现已停用)apache-log4j-1 的一个分支。2.x 对旧库中发现的几个漏洞进行了补丁修复现在可用(来自原始 log4j 作者)。该站点存在 https://reload4j.qos.ch/. As of 21-Jan-2022 version 1.2.18.2 has been released. Vulnerabilities addressed to date include those pertaining to JMSAppender, SocketServer and Chainsaw 个漏洞。请注意,我只是在转发此信息。还没有从我这边验证修复。请参阅 link 了解更多详情。
JNDI 功能 was added into Log4j 2.0-beta9。
Log4j 1.x 因此没有易受攻击的代码。
虽然不受完全相同的 Log4Shell 问题的影响,Apache Log4j team recommends to remove JMSAppender and SocketServer, which has a vulnerability in CVE-2019-17571 来自您的 JAR 文件。
您可以使用 zip 命令删除受影响的 类。将 filename/version 替换为您的:
zip -d log4j-1.2.16.jar org/apache/log4j/net/JMSAppender.class
zip -d log4j-1.2.16.jar org/apache/log4j/net/SocketServer.class
您可以使用 less and grep 查看 zip 中的文件,例如less log4j-1.2.16.jar | grep JMSAppender
也就是说,Apache 建议您尽可能升级到 2.x 版本。根据their security page:
Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.
除了
注意 1 - 它不检查这些 类 在属性中的任何使用,这纯粹是一种查找和删除的方法 - 使用风险自负!
注 2 - 这取决于正在安装的 zip 和 unzip
#!/bin/bash
DIR=
APPLY=
# Classes to be searched for/removed
CLASSES="org/apache/log4j/net/SimpleSocketServer.class
org/apache/log4j/net/SocketServer.class
org/apache/log4j/net/JMSAppender.class"
PROGNAME=`basename [=10=]`
PROGPATH=`echo [=10=] | sed -e 's,[\/][^\/][^\/]*$,,'`
usage () {
echo >&2 Usage: ${PROGNAME} DIR [APPLY]
echo >&2 Where DIR is the starting directory for find
echo >&2 and APPLY = "Y" - to perform purification
exit 1
}
# Force upper case on Apply
APPLY=$(echo "${APPLY}" | tr '[:lower:]' '[:upper:]')
# Default Apply to N
if [ "$APPLY" == "" ] ; then
APPLY="N"
fi
# Check parameters
if [ "$DIR" == "" ] ; then
usage
fi
echo $APPLY | grep -q -i -e '^Y$' -e '^N$' || usage
# Search for log4j jar files - for class file removal
FILES=$(find $DIR -name *log4j*jar)
for f in $FILES
do
echo "Checking Jar [$f]"
for jf in $CLASSES
do
unzip -v $f | grep -e "$jf"
if [ "$APPLY" = "Y" ]
then
echo "Deleting $jf from $f"
zip -d $f $jf
fi
done
done
# Search for Log4j properties files - for read-only setting
PFILES=$(find $DIR -name *log4j*properties)
for f in $PFILES
do
echo "Checking permissions [$f]"
if [ "$APPLY" = "Y" ]
then
echo "Changing permissons on $f"
chmod 444 $f
fi
ls -l $f
done