[官网]Apache Log4j2 最新版安全提示 2.17.0
https://logging.apache.org/log4j/2.x/ 最近一个周的时间 log4j2 从 2.14 跃升到了2.17 还在不停的升级 安全问题正是焦头烂额 free software 和 opensource 的实质 其实是 自有 而不是 免费. 大家都把free 理解成了免费, 导致现在所有的开源软件 大家都缺少动力. 很多时候 爱好也重要. 但是吃饭更重要.
Apache Log4j 2
Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many of the improvements available in Logback while fixing some inherent problems in Logback’s architecture.
Important: Security Vulnerability CVE-2021-45105
The Log4j team has been made aware of a security vulnerability, CVE-2021-45105, that has been addressed in Log4j 2.17.0 for Java 8 and up.
Summary: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.
Details
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.
Mitigation
From version 2.17.0 (for Java 8), only lookup strings in configuration are expanded recursively; in any other usage, only the top-level lookup is resolved, and any nested lookups are not resolved.
In prior releases this issue can be mitigated by ensuring your logging configuration does the following:
- In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId}or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
- Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.
Reference
Please refer to the Security page for details and mitigation measures for older versions of Log4j.
Important: Security Vulnerability CVE-2021-45046
The Log4j team has been made aware of a security vulnerability, CVE-2021-45046, that has been addressed in Log4j 2.12.2 for Java 7 and 2.16.0 for Java 8 and up.
Summary: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.
Details
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments; remote code execution has been demonstrated on macOS but no other tested environments.
Note that previous mitigations involving configuration such as setting the system property log4j2.formatMsgNoLookups to true do NOT mitigate this specific vulnerability.
Mitigation
In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default. Usage of JNDI in configuration now needs to be enabled explicitly. Calls to the JndiLookup will now return a constant string. Also, Log4j now limits the protocols by default to only java. The message lookups feature has been completely removed. Lookups in configuration still work.
From version 2.16.0 (for Java 8), the message lookups feature has been completely removed. Lookups in configuration still work. Furthermore, Log4j now disables access to JNDI by default. Users are advised not to enable JNDI in Log4j 2.16.0. If the JMS Appender is required, use Log4j 2.12.2.
Reference
Please refer to the Security page for details and mitigation measures for older versions of Log4j.
Important: Security Vulnerability CVE-2021-44228
The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.12.2 and Log4j 2.16.0.
Summary
Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution.
Details
One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. This meant that when user input is logged, and that user input contained a JNDI Lookup pointing to a malicious server, then Log4j would resolve that JNDI Lookup, connect to that server, and potentially download serialized Java code from that remote server. This in turn could execute any code during deserialization. This is known as a RCE (Remote Code Execution) attack.
Mitigation
In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default. Usage of JNDI in configuration now needs to be enabled explicitly. Calls to the JndiLookup will now return a constant string. Also, Log4j now limits the protocols by default to only java. The message lookups feature has been completely removed. Lookups in configuration still work.
From version 2.16.0 (for Java 8), the message lookups feature has been completely removed. Lookups in configuration still work. Furthermore, Log4j now disables access to JNDI by default. Users are advised not to enable JNDI in Log4j 2.16.0. If the JMS Appender is required, use Log4j 2.12.2.
Reference
Please refer to the Security page for mitigation measures for older versions of Log4j.
Features
API Separation
The API for Log4j is separate from the implementation making it clear for application developers which classes and methods they can use while ensuring forward compatibility. This allows the Log4j team to improve the implementation safely and in a compatible manner.
The Log4j API is a logging facade that may, of course, be used with the Log4j implementation, but may also be used in front of other logging implementations such as Logback. The Log4j API has several advantages over SLF4J: 1. The Log4j API supports logging Messages instead of just Strings. 2. The Log4j API supports lambda expressions. 3. The Log4j API provides many more logging methods than SLF4J. 4. In addition to the “parameterized logging” format supported by SLF4J, the Log4j API also supports events using the java.text.MessageFormat syntax as well printf-style messages. 5. The Log4j API provides a LogManager.shutdown() method. The underlying logging implementation must implement the Terminable interface for the method to have effect. 6. Other constructs such as Markers, log Levels, and ThreadContext (aka MDC) are fully supported.
Improved Performance
Log4j 2 contains next-generation Asynchronous Loggers based on the LMAX Disruptor library. In multi-threaded scenarios Asynchronous Loggers have 18 times higher throughput and orders of magnitude lower latency than Log4j 1.x and Logback. See Asynchronous Logging Performance for details. Otherwise, Log4j 2 significantly outperforms Log4j 1.x, Logback and java.util.logging, especially in multi-threaded applications. See Performance for more information.
Support for multiple APIs
While the Log4j 2 API will provide the best performance, Log4j 2 provides support for the Log4j 1.2, SLF4J, Commons Logging and java.util.logging (JUL) APIs.
Avoid lock-in
Applications coded to the Log4j 2 API always have the option to use any SLF4J-compliant library as their logger implementation with the log4j-to-slf4j adapter.
Automatic Reloading of Configurations
Like Logback, Log4j 2 can automatically reload its configuration upon modification. Unlike Logback, it will do so without losing log events while reconfiguration is taking place.
Advanced Filtering
Like Logback, Log4j 2 supports filtering based on context data, markers, regular expressions, and other components in the Log event. Filtering can be specified to apply to all events before being passed to Loggers or as they pass through Appenders. In addition, filters can also be associated with Loggers. Unlike Logback, you can use a common Filter class in any of these circumstances.
Plugin Architecture
Log4j uses the plugin pattern to configure components. As such, you do not need to write code to create and configure an Appender, Layout, Pattern Converter, and so on. Log4j automatically recognizes plugins and uses them when a configuration references them.
Property Support
You can reference properties in a configuration, Log4j will directly replace them, or Log4j will pass them to an underlying component that will dynamically resolve them. Properties come from values defined in the configuration file, system properties, environment variables, the ThreadContext Map, and data present in the event. Users can further customize the property providers by adding their own Lookup Plugin.
Java 8 Lambda Support
Previously, if a log message was expensive to construct, you would often explicitly check if the requested log level is enabled before constructing the message. Client code running on Java 8 can benefit from Log4j’s lambda support. Since Log4j will not evaluate a lambda expression if the requested log level is not enabled, the same effect can be achieved with less code.
Custom Log Levels
In Log4j 2, custom log levels can easily be defined in code or in configuration. No subclassing is required.
Log Builder API
In addition to using one of the many log methods in the Log4j API, log events can be constructed using a builder. See [Log Builder][manual/logbuilder.html] for more information.
Garbage-free
During steady state logging, Log4j 2 is garbage-free in stand-alone applications, and low garbage in web applications. This reduces pressure on the garbage collector and can give better response time performance.
Integrating with Application Servers
Version 2.10.0 added the module log4j-appserver to improve integration with Apache Tomcat and Eclipse Jetty.
Cloud Enabled
Version 2.12.0 introduced support for accessing Docker container information via a Lookup and for accessing and updating the Log4j configuration through Spring Cloud Configuration. This support was enhanced in version 2.13.0 to add support for accessing Spring Boot properties as well as Kubernetes information. See Logging in the Cloud for details.
Compatible with Log4j 1.x
The Log4j-1.2-api module of Log4j 2 provides compatiblity for applications using the Log4j 1 logging methods. As of Log4j 2.13.0 Log4j 2 also provides experimental support for Log4j 1.x configuration files. See Log4j 2 Compatiblity with Log4j 1 for more information.
Documentation
The Log4j 2 User’s Guide is available on this site or as a downloadable PDF.
Requirements
Log4j 2.13.0 and greater require Java 8. Version 2.4 through 2.12.1 required Java 7 (the Log4j team no longer supports Java 7). Some features require optional dependencies; the documentation for these features will specify the required dependencies.
News
Log4j 2.17.0 has been released solely to:
- Address CVE-2021-45105.
- Require components that use JNDI to be enabled individually via system properties.
- Remove LDAP and LDAPS as supported protocols from JNDI.
2.17.0 is a recommended upgrade to ensure that recursive lookups do not cause services to fail.
Log4j 2.17.0 is now available for production. The API for Log4j 2 is not compatible with Log4j 1.x, however an adapter is available to allow applications to continue to use the Log4j 1.x API. Adapters are also available for Apache Commons Logging, SLF4J, and java.util.logging.
Log4j 2.17.0 is the latest release of Log4j. As of Log4j 2.13.0 Log4j 2 requires Java 8 or greater at runtime. This release contains new features and fixes which can be found in the latest changes report.
Log4j 2.17.0 maintains binary compatibility with previous releases.
[官网]Apache Log4j2 最新版安全提示 2.17.0的更多相关文章
- 全网最详细中英文ChatGPT-GPT-4示例文档-官网推荐的48种最佳应用场景——从0到1快速入门AI智能问答应用场景(附python/node.js/curl命令源代码,小白也能学)
目录 Introduce 简介 setting 设置 Prompt 提示 Sample response 回复样本 API request 接口请求 python接口请求示例 node.js接口请求示 ...
- 在官网下载了最新版的PHP,解压后的安装包里为什么没有php5isapi.dll这个dll文件?
因为自PHP 5.3.1版本开始,PHP便已不在支持ISAPI模式,所以你在PHP5.3.1版本以上的php目录中看不到php5isapi.dll文件. 那么,IIS6下跑PHP 5.3.1以上版本时 ...
- 小程序官网CMS开源项目出炉,Weixin-App-CMS 1.0 版本正式发布
Weixin-App-CMS 是捷微团队开发的微信小程序CMS开源项目,涵盖了微网站的基本功能,能够快速发布简单易用的小程序网站.采用工具“微信web开发”上传小程序,即可快速体验发布体验小程序网站. ...
- jQuery Validate (摘自官网)
jQuery Validate 插件为表单提供了强大的验证功能,让客户端表单验证变得更简单,同时提供了大量的定制选项,满足应用程序各种需求.该插件捆绑了一套有用的验证方法,包括 URL 和电子邮件验证 ...
- PHP环境配置-从Apache官网下载windows版apache服务器
由于个人有强迫倾向,下载软件都喜欢从官网下载,摸索了好久终于摸清楚怎么从Apache官网下载windows安装版的Apache服务器了,现在分享给大家. 进入apache服务器官网http://htt ...
- apache官网怎样下载apache HTTP Server服务器
我相信有些朋友刚用apache服务器时,都希望从官网上下载,而面对着官网上众多的项目和镜像以及目录,也许有点茫然.下面是具体步骤 第一步:打开apache官网 第二步:点击右上角Download,出现 ...
- 蓝灯官网下载,蓝灯最新版下载,Lantern(蓝灯)
蓝灯官网下载,蓝灯最新版下载,Lantern(蓝灯)下载 >>>>>>>>>>>>>>>>>> ...
- Apache Maven-AntRun-Plugin 官网 bug
Maven AntRun Plugin 今天在 Apache maven-antrun-plugin 官网查找资料时,竟然发现了一个bug!! 在此记录下,以免在同一个地方摔倒两次! 想起一句话,尽信 ...
- 谈谈如何从Apache官网扒文档
学习java的猴子至少要会看文档, 一.从Apache官网下载文档 进入官网--components--例如点击FileUpload--点击最下面browser download area--点击bi ...
- SQLyog-12.4.2版下载,SQLyog最新版下载,SQLyog官网下载,SQLyog Download
SQLyog-12.4.2版下载,SQLyog最新版下载,SQLyog官网下载,SQLyog Download >>>>>>>>>>> ...
随机推荐
- 云图说丨云数据库GaussDB(for MySQL)事务拆分大揭秘
摘要:数据库代理提供事务拆分的功能,能够将事务内写操作之前的读请求转发到只读节点,降低主节点负载. 本文分享自华为云社区<[云图说]第270期 云数据库GaussDB(for MySQL)事务拆 ...
- 如何通过一个SDK轻松搞定人脸识别,拯救初入职场的程序猿
摘要:看一个SDK如何拯救初入职场的程序猿小Hi- [职场初体验] 时间过得真快,距离上次给小Hi安排"人脸识别"的开发任务(话接上期:[快速玩转华为云开发]小Hi拍了拍你,基于华 ...
- vue2升级vue3:vue3真的需要vuex或者Pinia吗?hooks全有了
在写 <vue2升级vue3:TypeScript下vuex-module-decorators/vuex-class to vuex4.x>,建议新项目使用 Pinia,但是我的项目部分 ...
- 五大不良 coding 习惯,你占了几样?
在之前的文章中,我们一起解读了2021年数据成本报告.根据 IBM 和 Ponemon Institute 2021年的报告,全球平均数据泄露成本约为424万美元.为了降低数据泄露造成的成本,企业可以 ...
- 火山引擎数智平台协助洞察美图类APP新增长,付费用户转化超过 124%
更多技术交流.求职机会,欢迎关注字节跳动数据平台微信公众号,回复[1]进入官方交流群 美图类 APP 的下一个增长点在哪里? 目前,国内市场上的美图类 APP 大多都遵循着基础功能免费使用.个性化热门 ...
- 使用root ssh登录ubuntu22.4配置
前言 在安装k8s集群时,需要使用root用户ssh登录远程服务器进行安装操作,但是root登录是默认关闭的,因此本篇讲解如何开启配置, 当前测试版本 ubuntu22.4 安装部署 使用管理权限打开 ...
- auth认证模块 auth_user表扩展
目录 auth认证模块前戏 django后台管理功能 创建超级管理员 auth认证相关模块及操作 用户注册 用户登录 网站首页效果 校验用户登录的装饰器 用户修改密码 用户注销登录 auth_user ...
- 【源码系列#06】Vue3 Diff算法
专栏分享:vue2源码专栏,vue3源码专栏,vue router源码专栏,玩具项目专栏,硬核推荐 欢迎各位ITer关注点赞收藏 Vue2 Diff算法可以参考此篇文章[Vue2.x源码系列08]Di ...
- 🔥 DeepVideo 智能视频生产训练营火热报名中!
阿里云视频云和阿里云开发者学堂联合打造 国内首个视频云训练营11月8日启幕 四天直播,技术大咖亲临授课干货 全面介绍视频智能生产技术和产品 帮助开发者迅速入门视频云 已超千人报名,丰富打卡玩法礼品 活 ...
- SSL 证书过期巡检脚本
哈喽大家好,我是咸鱼 我们知道 SSL 证书是会过期的,一旦过期之后需要重新申请.如果没有及时更换证书的话,就有可能导致网站出问题,给公司业务带来一定的影响 所以说我们要每隔一定时间去检查网站上的 S ...