如何缓解 Log4j 1.2 版中的 Log4Shell 漏洞?
How can I mitigate the Log4Shell vulnerability in version 1.2 of Log4j?
我有一个非常旧的 Solr and I've been trying to see if it is affected by the Log4Shell vulnerability that everybody is freaking out about (CVE-2021-44228 版本。
这个CVE貌似只适用于以后的版本,但是有同事不买账,所以我想弄清楚真相。
我大约 95% 确定这对旧版本的 Log4j 没问题。三个原因:
我使用的是 1.2 版。我在我的系统上找到了 Log4j JAR 文件,将其解压缩,然后查找任何提及 JNDI 的内容:
find / -iname '*log4j*'
unzip /etc/opt/jetty/lib/ext/log4j-1.2.17.jar | grep -i jndi
那没有带回任何东西,所以我在那里感觉很好。 CVE 说您通常会通过查看 JAR 文件找到一些东西。它建议你这样做:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
那对我没有任何作用。
我挖通了changelog for Log4j。它说版本 2.0-beta9:
Add JNDILookup plugin. Fixes LOG4J2-313. Thanks to Woonsan Ko.
所以我认为可以肯定地说 JNDI 在此之前在 Log4j 中不存在。 Jira ticket that added it is here.
我检查了 old manual for version 1.2 并将其与最新版本进行了比较。最近,有一个“查找”部分解释了 JNDI 的工作原理。在 1.2 版中,该部分不存在。
我觉得……还行吧?
Ralph Goers(Apache Log4J 维护者)说:
There are two aspects to this vulnerability.
- Log4j 2’s lookup mechanism (property resolver) was being performed on the message text being logged. This meant that if applications are
logging user input (almost everyone does) a user could cause the
Lookup mechanism to be invoked.
- Log4j 2 supports JNDI in various places, including as a lookup. JNDI itself is horribly insecure. The combined effect of these is what
makes it a critical severity issue for Log4j 2. Log4j 1, as well as
Logback, both have components that use JNDI and neither do anything to
limit the JNDI vulnerabilities. In the case of Log4j 1 it is the JMS
Appender. The exposure is smaller but it is still there. If someone
can gain access to the logging configuration they could conceivably
cause bad things to happen.
我有一个非常旧的 Solr and I've been trying to see if it is affected by the Log4Shell vulnerability that everybody is freaking out about (CVE-2021-44228 版本。
这个CVE貌似只适用于以后的版本,但是有同事不买账,所以我想弄清楚真相。
我大约 95% 确定这对旧版本的 Log4j 没问题。三个原因:
我使用的是 1.2 版。我在我的系统上找到了 Log4j JAR 文件,将其解压缩,然后查找任何提及 JNDI 的内容:
find / -iname '*log4j*' unzip /etc/opt/jetty/lib/ext/log4j-1.2.17.jar | grep -i jndi那没有带回任何东西,所以我在那里感觉很好。 CVE 说您通常会通过查看 JAR 文件找到一些东西。它建议你这样做:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class那对我没有任何作用。
我挖通了changelog for Log4j。它说版本 2.0-beta9:
Add JNDILookup plugin. Fixes LOG4J2-313. Thanks to Woonsan Ko.
所以我认为可以肯定地说 JNDI 在此之前在 Log4j 中不存在。 Jira ticket that added it is here.
我检查了 old manual for version 1.2 并将其与最新版本进行了比较。最近,有一个“查找”部分解释了 JNDI 的工作原理。在 1.2 版中,该部分不存在。
我觉得……还行吧?
Ralph Goers(Apache Log4J 维护者)说:
There are two aspects to this vulnerability.
- Log4j 2’s lookup mechanism (property resolver) was being performed on the message text being logged. This meant that if applications are logging user input (almost everyone does) a user could cause the Lookup mechanism to be invoked.
- Log4j 2 supports JNDI in various places, including as a lookup. JNDI itself is horribly insecure. The combined effect of these is what makes it a critical severity issue for Log4j 2. Log4j 1, as well as Logback, both have components that use JNDI and neither do anything to limit the JNDI vulnerabilities. In the case of Log4j 1 it is the JMS Appender. The exposure is smaller but it is still there. If someone can gain access to the logging configuration they could conceivably cause bad things to happen.