Vulnerability trigger point
The vulnerability is mainly due to the fact that the receiver does not filter input from unreliable sources when processing ObjectInputStream. This vulnerability can be effectively solved by adding configurable filtering functions and some related settings to TcpSocketServer and UdpSocketServer. At present, Log4j has officially released a new version to fix this vulnerability. Please refer to the download address for the patch: http://download.nextag.com/apache/logging/log4j/2.8.2/
Sphere of influence
Affected version
All Apache Log4j 2.* series versions: Apache Log4j 2.0-alpha1 – Apache Log4j 2.8.1
unaffected version
Apache Log4j 2.8.2
Little
No
suggestion
Users of Java 7+ should upgrade to version 2.8.2 immediately or avoid using socket server related classes.
Reference link:
https://issues.apache.org/jira/browse/LOG4J2/fixforversion/12339750/?spm=5176.bbsr313258.0.0.sd9F87&selectedTab=com.atlassian.jira.jira-projects-plugin:version-summary- Panel
users who use Java 6 should avoid using TCP or UDP socket server related classes. Users can also manually add the relevant code updated in version 2.8.2 to solve this vulnerability.
Reference link: https://git-wip-us.apache.org/repos/asf?p=logging-log4j2.git;h=5dcc192
Article reference: http://toutiao.secjia.com/apache-log4j-deserialization-vulnerabilities-cve-2017-5645