如何使用 Log4j2 库快速检查 AWS Lambdas
How to quickly check AWS Lambdas with Log4j2 library
在超过 100 个 Lambda 函数使用 Java 8 运行时的环境中,如何快速检查是否有任何 Lambda 正在使用 Log4j 2 易受攻击的版本?
很可能 AWS 已经满足您的需求。
来自https://aws.amazon.com/security/security-bulletins/AWS-2021-006/:
AWS Lambda
AWS Lambda does not include Log4j2 in its managed runtimes or base
container images. These are therefore not affected by the issue
described in CVE-2021-44228 and CVE-2021-45046.
For cases where a customer function includes an impacted Log4j2
version, we have applied a change to the Lambda Java managed runtimes
and base container images (Java 8, Java 8 on AL2, and Java 11) that
helps to mitigate the issues in CVE-2021-44228 and CVE-2021-45046.
Customers using managed runtimes will have the change applied
automatically.
Customers using container images will need to rebuild from the latest
base container image, and redeploy.
Independent of this change, we strongly encourage all customers whose
functions include Log4j2 to update to the latest version.
Specifically, customers using the aws-lambda-java-log4j2 library in
their functions should update to version 1.4.0 and redeploy their
functions. This version updates the underlying Log4j2 utility
dependencies to version 2.16.0. The updated aws-lambda-java-log4j2
binary is available at the Maven repository and its source code is
available in Github.
检查您的构建脚本及其输出会容易得多,但假设您不能那样做...
要查看现有功能,您需要下载功能代码。如果你 运行 aws lambda get-function 你应该看到一个 Code 元素,其中 URL 指向 AWS 服务器(例如,prod-04-2014-tasks.s3.us-east-1.amazonaws.com)。这是一个 public URL,您可以使用 wget 或 curl 从中下载 Lambda 的部署包。
然后,解压部署包。如果它包含 JAR 文件,只需查找存在漏洞的 Log4J 版本。
但是,如果它是一个仅包含类文件的“uberjar”,那么您需要查看文件上的日期 MessagePatternConverter.class。如果是在 2021-12-05 之前,那么您很容易受到攻击。查找日期为 2021-12-20 以获取最新版本 (2.17.0)。
在超过 100 个 Lambda 函数使用 Java 8 运行时的环境中,如何快速检查是否有任何 Lambda 正在使用 Log4j 2 易受攻击的版本?
很可能 AWS 已经满足您的需求。
来自https://aws.amazon.com/security/security-bulletins/AWS-2021-006/:
AWS Lambda
AWS Lambda does not include Log4j2 in its managed runtimes or base container images. These are therefore not affected by the issue described in CVE-2021-44228 and CVE-2021-45046.
For cases where a customer function includes an impacted Log4j2 version, we have applied a change to the Lambda Java managed runtimes and base container images (Java 8, Java 8 on AL2, and Java 11) that helps to mitigate the issues in CVE-2021-44228 and CVE-2021-45046. Customers using managed runtimes will have the change applied automatically.
Customers using container images will need to rebuild from the latest base container image, and redeploy.
Independent of this change, we strongly encourage all customers whose functions include Log4j2 to update to the latest version. Specifically, customers using the aws-lambda-java-log4j2 library in their functions should update to version 1.4.0 and redeploy their functions. This version updates the underlying Log4j2 utility dependencies to version 2.16.0. The updated aws-lambda-java-log4j2 binary is available at the Maven repository and its source code is available in Github.
检查您的构建脚本及其输出会容易得多,但假设您不能那样做...
要查看现有功能,您需要下载功能代码。如果你 运行 aws lambda get-function 你应该看到一个 Code 元素,其中 URL 指向 AWS 服务器(例如,prod-04-2014-tasks.s3.us-east-1.amazonaws.com)。这是一个 public URL,您可以使用 wget 或 curl 从中下载 Lambda 的部署包。
然后,解压部署包。如果它包含 JAR 文件,只需查找存在漏洞的 Log4J 版本。
但是,如果它是一个仅包含类文件的“uberjar”,那么您需要查看文件上的日期 MessagePatternConverter.class。如果是在 2021-12-05 之前,那么您很容易受到攻击。查找日期为 2021-12-20 以获取最新版本 (2.17.0)。