下沙论坛

标题: Apache Log4j2 远程代码执行漏洞 [打印本页]

作者: 煎饼    时间: 2021-12-15 10:10
标题: Apache Log4j2 远程代码执行漏洞
漏洞描述

Apache Log4j2 是一个基于 Java 的日志记录工具。该工具重写了 Log4j 框架,并且引入了大量丰富的特性。该日志框架被大量用于业务系统开发,用来记录日志信息。

在大多数情况下,开发者可能会将用户输入导致的错误信息写入日志中。攻击者利用此特性可通过该漏洞构造特殊的数据请求包,最终触发远程代码执行。由于该漏洞影响范围极广,建议广大用户及时排查相关漏洞,经过白帽汇安全研究院分析确认,目前市面有多款流行的系统都受影响。

该漏洞危害等级:严重

影响范围

Apache Log4j 2.x < 2.15.0-rc2

已知影响组件受影响开源组件
项目
仓库地址
版本

( j6 W0 \% ]3 j$ Q3 n. M4 n' X" p6 {3 Velasticsearch(org.elasticsearch)https://github.com/elastic/elasticsearch8.0.0-alpha2 等(共 100 个)! @% s  f- ^' w! l
spring-webflux(org.springframework)https://github.com/spring-projects/spring-framework5.2.6.RELEASE 等(共 40 个)' ?- l( \+ C. M4 z) k
druid(com.alibaba)https://github.com/alibaba/druid1.2.8 等(共 68 个)( U. I8 s. @9 A
hystrix-rx-netty-metrics-stream(com.netflix.hystrix)https://github.com/Netflix/Hystrix1.5.4 等(共 2 个)
+ {  }: ?6 z: X/ ^. `# X) }spring-cloud-starter-alibaba-sentinel(com.alibaba.cloud)https://github.com/alibaba/spring-cloud-alibaba2021.1 等(共 14 个), s: P# ~9 @& M& r: N& r
spring-boot-starter-ahas-sentinel-client(com.alibaba.csp)https://github.com/alibaba/Sentinel1.3.2 等(共 17 个)
$ H: ^, I7 U3 ]2 ^4 {$ t" q- Fredisson(org.redisson)https://github.com/redisson/redisson2.2.24 等(共 3 个): r! G) P4 A7 r- O+ A- i/ r2 e
HikariCP(com.zaxxer)https://github.com/brettwooldridge/HikariCP5.0.0 等(共 27 个)
+ j  c" K& A9 v5 S0 Q$ fzipkin-collector-service(io.zipkin)https://github.com/openzipkin/zipkin1.40.2 等(共 27 个)
5 B2 h! a3 D  Xmybatis-plus(com.baomidou)https://github.com/baomidou/mybatis-plus3.4.3.4 等(共 41 个)
; X: x3 H$ Z0 B& B+ O! W6 u& p, }; Qzuul-sample(com.netflix.zuul)https://github.com/Netflix/zuul2.3.0 等(共 10 个)
- q+ b+ Z& Q+ P2 f* ?2 q" s5 A: zwatson-data-api-client(com.ibm.watson.data)https://github.com/OpenAPITools/openapi-generator0.1 等(共 1 个)
7 }2 U3 J' {! \( yspring-boot-admin-sample-consul(de.codecentric)https://github.com/codecentric/spring-boot-admin2.5.4 等(共 40 个)2 K4 r8 y( F! \
jedis(redis.clients)https://github.com/redis/jedisjedis-3.6.2 等(共 36 个)
- o, r, \( q* d( ggrpc-benchmarks(io.grpc)https://github.com/grpc/grpc-java1.9.1 等(共 65 个)
- B2 ^  x" t% pktor-client-json-tests(io.ktor)https://github.com/ktorio/ktor1.6.7 等(共 32 个)
# Q) U" W. G+ M8 r0 ]gitbucket_2.13(io.github.gitbucket)https://github.com/gitbucket/gitbucket4.32.0 等(共 27 个)
5 x* k+ T* b( _3 y5 M: v7 z8 O" ufinagle-zipkin_2.12(com.twitter)https://github.com/twitter/finagle7.1.0 等(共 56 个)2 ]4 A& Y- {# g* B' K; r' G0 O/ i
resilience4j-vertx(io.github.resilience4j)https://github.com/resilience4j/resilience4j0.9.0 等(共 9 个)6 ?3 w7 V: k, Z: r! Z- V4 P' n
elasticsearch-sql(org.nlpcn)https://github.com/NLPchina/elasticsearch-sql6.8.13.0 等(共 9 个)& O7 e' K% l# P* T
exposed-spring-boot-starter(org.jetbrains.exposed)https://github.com/JetBrains/Exposed0.36.2 等(共 11 个)" a: C" e4 }. [! y& {8 \
blade-sql2o(com.bladejava)https://github.com/lets-blade/blade1.2.9 等(共 1 个), p7 @* w3 i5 \
netty-socketio(com.corundumstudio.socketio)https://github.com/mrniko/netty-socketio1.7.19 等(共 8 个)8 i% Y/ [  m+ B
springfox-swagger2(io.springfox)https://github.com/springfox/springfox2.10.5 等(共 6 个)
- N) F/ h, }# Xmain_2.12(org.scala-sbt)https://github.com/sbt/sbt1.6.0-RC1 等(共 88 个)+ r2 O2 ~- Z# x+ R7 I7 k  N
lettuce-core(io.lettuce)https://github.com/lettuce-io/lettuce-core6.1.5.RELEASE 等(共 42 个)
4 f* Q1 o6 p/ v7 P4 Urepository-azure(org.opensearch.plugin)https://github.com/opensearch-project/OpenSearch1.2.0 等(共 3 个)/ A1 s0 {6 o& s: T
reactor-test(io.projectreactor)https://github.com/reactor/reactor-core3.3.4.RELEASE 等(共 3 个)
/ |. y! X% a4 A  A9 e; ^' [corda-webserver-impl(net.corda)https://github.com/corda/cordacorda-3.0 等(共 32 个)% K/ ?  d9 @& U1 W2 b  _" I) B/ T. f
conductor-redis-persistence(com.netflix.conductor)https://github.com/Netflix/conductor3.3.6 等(共 100 个)
( l  W$ S5 N/ L; |: u! Carmeria(com.linecorp.armeria)https://github.com/line/armeria0.26.1.Final 等(共 2 个)4 Q: L7 P! w; p9 Y9 \) y$ s7 a
breeze-parent_2.13(org.scalanlp)https://github.com/scalanlp/breeze2.0.1-RC1 等(共 5 个)
8 {3 V6 f6 p- J0 kmicrometer-core(io.micrometer)https://github.com/micrometer-metrics/micrometer1.8.1 等(共 98 个)
3 C0 S6 P# s5 t- x+ ialink_connector_jdbc_sqlite_flink-1.9_2.11(com.alibaba.alink)https://github.com/alibaba/Alink1.5.1 等(共 3 个); g# P& E& e( A) Q1 e- L8 a
initializr-actuator(io.spring.initializr)https://github.com/spring-io/initializr0.9.0 等(共 6 个)* a2 {6 C- y, F6 l: y; U
telegrambots-spring-boot-starter(org.telegram)https://github.com/rubenlagus/TelegramBots4.9.1 等(共 17 个)4 j9 r' S* m. k$ t2 N6 b
spring-data-elasticsearch(org.springframework.data)https://github.com/spring-projects/spring-data-elasticsearch4.3.0 等(共 86 个)
( U. ~  |& a4 _8 `1 F9 L; Lfeast-common(dev.feast)https://github.com/feast-dev/feast0.9.2 等(共 26 个)
% {$ v/ j( Z" r: H3 S3 d' zjavamelody-core(net.bull.javamelody)https://github.com/javamelody/javamelody1.88.0 等(共 13 个). n4 a* R' E/ `
analytics-zoo-bigdl_0.13.0-spark_3.0.0(com.intel.analytics.zoo)https://github.com/intel-analytics/analytics-zoo0.11.0-RC1 等(共 4 个)1 i# @" E% u+ C. R; r, c, g; B
scio-tensorflow_2.13(com.spotify)https://github.com/spotify/scio0.9.6 等(共 97 个)
4 j, d, s' W3 J# D1 Ugrpc-client-spring-boot-autoconfigure(net.devh)https://github.com/yidongnan/grpc-spring-boot-starter2.9.0.RELEASE 等(共 16 个)
* H" q8 G0 C. finject-server_2.12(com.twitter)https://github.com/twitter/finatra21.9.0 等(共 56 个)
, z$ P' R% W* K3 O# i. eclient-java-examples(io.kubernetes)https://github.com/kubernetes-client/java8.0.2 等(共 1 个)
- v1 p$ Z( U9 A4 z, `8 b* Nreactivesocket-tck-drivers(io.reactivesocket)https://github.com/rsocket/rsocket-java0.6.0 等(共 1 个)( C/ V0 u2 K# v
jest-droid(io.searchbox)https://github.com/searchbox-io/Jest6.3.1 等(共 8 个)
/ R+ A; q& v6 Q; m% Z$ g$ ographql-dgs-example-java-webflux(com.netflix.graphql.dgs)https://github.com/Netflix/dgs-framework4.9.7 等(共 36 个)
( v4 n* b9 O5 b% h$ cquill-jdbc-monix_2.11(io.getquill)https://github.com/getquill/quill3.9.0 等(共 62 个)
  b) j8 F. ^/ ~* _% \doobie-quill_2.12(org.tpolecat)https://github.com/tpolecat/doobie1.0.0-RC1 等(共 61 个), k4 K  a7 l9 w+ J* F0 U+ b0 u
http4k(org.http4k)https://github.com/http4k/http4k4.3.4.1 等(共 3 个)1 j  L, H1 F& |: f% L
elasticsearch-hadoop(org.elasticsearch)https://github.com/elastic/elasticsearch-hadoop8.0.0-beta1 等(共 100 个); I( Z- o  M6 Q& i
sbt-shading(io.get-coursier)https://github.com/coursier/coursier1.0.0-RC8 等(共 1 个)7 g% f3 |( F; t
spark-cassandra-connector-unshaded_2.10(com.datastax.spark)https://github.com/datastax/spark-cassandra-connector2.0.9 等(共 54 个)
1 L% y1 g7 l& N) a5 C0 [webdrivermanager(io.github.bonigarcia)https://github.com/bonigarcia/webdrivermanager4.0.0 等(共 15 个)% A: Z. v6 @* y+ E5 ?) |3 [
common-auth-v3(com.tencent.bk.devops.ci.common)https://github.com/Tencent/bk-ci1.2.0-rc.7-RELEASE 等(共 3 个)
0 @; i% Z" n& W# O1 ^. sreactor-netty(io.projectreactor.netty)https://github.com/reactor/reactor-netty1.0.9 等(共 75 个)
, X. {% f7 T% M9 I9 I8 m/ u$ I6 ?evcache-client-sample(com.netflix.evcache)https://github.com/Netflix/EVCache5.18.9 等(共 63 个); [( J: H* h- `4 h$ O7 G) M6 C) w3 i
xtdb-test(com.xtdb)https://github.com/xtdb/xtdb1.20.0 等(共 9 个)" Z0 `! M0 z/ v/ l$ w# v: S& o* b
transport-netty4(com.strapdata.elasticsearch.plugin)https://github.com/strapdata/elassandra6.2.3.31 等(共 14 个)" m7 m9 P4 ]4 t" g& x- s
sbt-metals(org.scalameta)https://github.com/scalameta/metals0.9.9 等(共 17 个)
8 f9 ~4 N7 ?2 p# R5 n: welastic4s-embedded_2.12(com.sksamuel.elastic4s)https://github.com/sksamuel/elastic4s6.7.8 等(共 100 个)7 G; M4 `4 y/ I$ }( v7 |
genie-agent(com.netflix.genie)https://github.com/Netflix/genie4.0.4 等(共 100 个)
# C5 w( ^& H& {! p4 Y9 G% Dspring-kafka(org.springframework.kafka)https://github.com/spring-projects/spring-kafka2.7.9 等(共 79 个)0 `3 q% s7 _9 E$ ~/ J  z# X- Z
db-async-common_2.13(com.dripower)https://github.com/mauricio/postgresql-async0.3.109 等(共 19 个)
5 Z/ r( j# W% Y( Z" M3 }8 M( p* Kselenide(com.codeborne)https://github.com/selenide/selenide5.25.0-selenium-4.0.0-rc-2 等(共 18 个)4 j% a' Y! J9 s+ v2 v
cloudfoundry-identity-server(org.cloudfoundry.identity)https://github.com/cloudfoundry/uaa4.30.0 等(共 1 个)
4 E0 F% Y, R9 N# W& Bservo-atlas(com.netflix.servo)https://github.com/Netflix/servo0.13.2 等(共 20 个)
0 F4 h* c) }0 R) e: P, v; arxnetty-spectator-tcp(io.reactivex)https://github.com/ReactiveX/RxNetty0.5.3-rc.4 等(共 12 个)% Y9 f1 }. L' v1 B: P
mleap-tensorflow_2.10(ml.combust.mleap)https://github.com/combust/mleap0.9.6 等(共 25 个)
- }, K) o6 m* v0 H  q0 rspark-testing-base_2.12(com.holdenkarau)https://github.com/holdenk/spark-testing-base2.4.4_1.1.1 等(共 100 个)
6 O5 q: R  g+ P3 B% D; bgraphql-kotlin-spring-client(com.expediagroup)https://github.com/ExpediaGroup/graphql-kotlin5.0.0-alpha.0 等(共 20 个)( k, T6 ]$ E& Q6 ?. h* ^8 Z9 h( A
graphql-spring-boot-test-autoconfigure(com.graphql-java-kickstart)https://github.com/graphql-java-kickstart/graphql-spring-boot8.1.1 等(共 33 个)6 Y; e* G" k, w( k2 o" s
discord4j-rest(com.discord4j)https://github.com/Discord4J/Discord4J3.2.1 等(共 15 个)
$ R& l. m5 F% N& o: ptwitter-server-logback-classic_2.13(com.twitter)https://github.com/twitter/twitter-server21.9.0 等(共 54 个)- x" c( X% ~; T3 X3 o
synthea(org.mitre.synthea)https://github.com/synthetichealth/synthea2.7.0 等(共 2 个)! p; f3 R5 X  l- j. }' z
spring-integration-redis(org.springframework.integration)https://github.com/spring-projects/spring-integration5.5.6 等(共 30 个): h6 z+ K( v8 F% ]9 I7 ~0 r
cyclops-reactor-integration(com.oath.cyclops)https://github.com/aol/cyclops10.4.0 等(共 1 个)
% s3 q* Q9 W8 l2 Jakka-stream-alpakka-geode_2.12(com.lightbend.akka)https://github.com/akka/alpakka1.0-M1 等(共 13 个)
. S7 o( E7 u7 Y2 `mantis-client(io.mantisrx)https://github.com/Netflix/mantis1.3.9 等(共 83 个)3 O: f! n. t: l% q( @& B/ H
mybatis-generator-plugin(com.itfsw)https://github.com/itfsw/mybatis-generator-plugin1.2.9 等(共 31 个)
6 \7 P8 u$ q9 Vktorm-support-sqlserver(org.ktorm)https://github.com/kotlin-orm/ktorm3.3.0 等(共 11 个)% i0 c- D: j3 _; w5 X3 L7 G
gatk(org.broadinstitute)https://github.com/broadinstitute/gatk4.beta.2 等(共 39 个)( V/ k9 s% H  N3 b& J
azure-messaging-servicebus(com.azure)https://github.com/Azure/azure-sdk-for-java7.5.1 等(共 100 个)
5 r0 M- {6 w$ f/ L1 k! r6 Omica-metrics(net.dreamlu)https://github.com/lets-mica/mica2.5.7 等(共 7 个)! `; Z1 C  y1 \, _3 ^% Z  j$ G
shiro-redis(org.crazycake)https://github.com/alexxiyang/shiro-redis3.3.1 等(共 2 个)
( a. b' t0 A/ A4 j7 Denumeratum-play_2.12(com.beachape)https://github.com/lloydmeta/enumeratum1.5.16 等(共 2 个)
3 H0 [& ?2 q! G; ^( c. ^jdonframework(org.jdon)https://github.com/banq/jdonframework6.6.8 等(共 1 个)' |+ P! W* O( i# e" e0 W( y
weid-java-sdk(com.webank)https://github.com/WeBankBlockchain/WeIdentity1.8.1 等(共 3 个)3 k# B4 ~; f% |4 T8 d. h
log-protocol(io.shulie.pradar)https://github.com/shulieTech/Takin2.0.3 等(共 3 个)
1 z( x; T! m# q3 ]# r: jmicro-boot(com.oath.microservices)https://github.com/aol/micro-server1.2.6 等(共 38 个)
+ a8 I" O! b6 Y$ v. s3 N4 x2 W1 lsparkling-water-package_2.11(ai.h2o)https://github.com/h2oai/sparkling-water2.4.10 等(共 36 个)# D  ^8 m: ~( P6 ]. s3 n6 s
scalatest_2.13(au.com.dius.pact.provider)https://github.com/pact-foundation/pact-jvm4.2.4 等(共 5 个)3 U1 E8 K0 ]8 p% f& D+ X1 m, V/ l6 K8 A6 j
mssql-jdbc(com.microsoft.sqlserver)https://github.com/microsoft/mssql-jdbc8.3.0.jre11-preview 等(共 100 个)
- i& f6 y9 s5 J) B7 Xelide-spring-boot-starter(com.yahoo.elide)https://github.com/yahoo/elide6.0.3 等(共 45 个)
" B- C3 R* m+ I: r; B$ ]6 z% vkafka-connect-elastic5(com.datamountaineer)https://github.com/lensesio/stream-reactor1.2.0 等(共 5 个)) ~. l* \5 @/ [. h' E. g1 v
kvision-server-spring-boot-jvm(io.kvision)https://github.com/rjaros/kvision5.4.3 等(共 9 个)- m1 G2 |  g2 ]# L' \
r2dbc-postgresql(org.postgresql)https://github.com/pgjdbc/r2dbc-postgresql0.9.0.RC1 等(共 8 个)
5 T& |- e7 K4 gplay-slick-evolutions_2.13(com.typesafe.play)https://github.com/playframework/play-slick5.0.0-RC3 等(共 29 个)+ e- }* M" O3 Y# x
sbt-bloop-core(ch.epfl.scala)https://github.com/scalacenter/bloop1.4.8-43-c2d941d9 等(共 29 个)' l1 `  n# I+ T: E7 n
jcseg-elasticsearch(org.lionsoul)https://github.com/lionsoul2014/jcseg2.6.2 等(共 7 个)

更多受影响组件查询,请点击以下链接查询:https://log4j2.huoxian.cn/

漏洞排查

代码排查:查看 pom.xml 是否引入 org.apache.logging.log4j、org.apache.logging.log4j2

Linux:

sudo find / -name "*log4j-*.jar"

Windows:

*log4j*.jar

攻击排查

日志排查:

攻击者在利用前通常采用dnslog方式进行扫描、探测,对于常见利用方式可通过应用系统报错日志中的

"javax.naming.CommunicationException"

"javax.naming.NamingException: problem generating object using object factory"

"Error looking up JNDI resource"关键字进行排查。

流量排查:

攻击者的数据包中可能存在:“${jndi:rmi”、“${jndi:ldap”字样,可根据此类关键字进行排查。

漏洞复现

Vulfocus 靶场环境

目前 Vulfocus 已经集成 Log4j2 环境,可通过以下链接启动环境测试:

http://vulfocus.fofa.so/#/dashboard?image_id=3b8f15eb-7bd9-49b2-a69e-541f89c4216c

也可通过 docker pull vulfocus/log4j2-rce-2021-12-09:latest 拉取本地环境运行,本地启动命令:docker run -d -P vulfocus/log4j2-rce-2021-12-09:latest

修复建议

1、禁止使用 log4j 服务器外连,升级 idk 11.0.1 8u191 7u201 6u211 或更高版本。

2、升级至 log4j-2.15.0-rc2:

     下载地址:https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2

3、紧急缓解措施:

(1) 修改 jvm 参数 -Dlog4j2.formatMsgNoLookups=true

(2) 修改配置 log4j2.formatMsgNoLookups=True

(3) 将系统环境变量 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 设置 为 true

参考

[1] https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc1

[2] [LOG4J2-3201] Limit the protocols jNDI can use and restrict LDAP. - ASF JIRA (apache.org)

[3] ASF Git Repos - logging-log4j2.git/blob - log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java

[4] https://mp.weixin.qq.com/s/wC7mrK1Y4DYz9_yW4fLzbw

[5] https://help.aliyun.com/noticelist/articleid/1060971232.html

[6] https://mp.weixin.qq.com/s/C4zeXHKHDqPeRuLytO7Fzw

0 h7 q& e" @% d1 D

via https://nosec.org/home/detail/4917.html


1 u3 k1 m1 @' n2 o) j6 W3 U




欢迎光临 下沙论坛 (http://bbs.xiasha.cn/) Powered by Discuz! X3.3