突發！Log4j 爆“核彈級”漏洞，Flink、Kafka等至少十多個項目受影響

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"昨晚，對很多程序員來說可能是一個不眠之夜。12 月 10 日凌晨，Apache 開源項目 Log4j 的遠程代碼執行漏洞細節被公開，由於 Log4j 的廣泛使用，該漏洞一旦被攻擊者利用會造成嚴重危害。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"據悉，Apache Log4j 2.x <= 2.14.1 版本均回會受到影響。根據“"},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s?__biz=MzA5MDc1NDc1MQ==&mid=2247490981&idx=1&sn=a6cbdc953c90467a598149167fca0c28&scene=21#wechat_redirect","title":"","type":null},"content":[{"type":"text","text":"微步在線研究響應中心"}]},{"type":"text","text":"”消息，可能的受影響應用包括但不限於：Spring-Boot-strater-log4j2、Apache Struts2、Apache Solr、Apache Flink、Apache Druid、Elasticsearch、Flume、Dubbo、Redis、Logstash、Kafka 等。很多互聯網企業都連夜做了應急措施。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"截至本文發出，鬥魚、京東、網易、深信服和汽車產業安全應急響應中心皆發文表示，鑑於該漏洞影響範圍比較大，業務自查及升級修復需要一定時間，暫不接收 Log4j2 相關的遠程代碼執行漏洞。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/wechat\/images\/d4\/d42f909789c3b8d422f36c848b89c136.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":false,"pastePass":false}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"lookup 功能造成的漏洞"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Log4j 是一款開源 Java 日誌記錄工具。日誌記錄主要用來監視代碼中變量的變化情況，週期性的記錄到文件中供其他應用進行統計分析工作；跟蹤代碼運行時軌跡，作爲日後審計的依據；擔當集成開發環境中的調試器的作用，向文件或控制檯打印代碼的調試信息。因此，對於程序員來說，日誌記錄非常重要。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在強調可重用組件開發的今天，Apache 提供的強有力的日誌操作包 Log4j。Log4j 可以輕鬆控制 log 信息是否顯示、log 信息的輸出端類型、輸出方式、輸出格式，更加細緻地控制日誌的生成過程，而其通過配置文件可以靈活地進行配置而不需要大量的更改代碼。因此，很多互聯網企業都選擇使用 Log4j 。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2014 年，Log4j 2 發佈。Log4j 2 是對 Log4j 的重大升級，完全重寫了 log4j 的日誌實現。Log4j 2 提供了 Logback 中可用的許多改進，同時修復了 Logback 架構中的一些固有問題，目前已經更新到 2.15.0 版本。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Log4j2 也支持 SLF4J，可以自動重新加載日誌配置，並支持高級過濾選項。此外它還允許基於 lambda 表達式對日誌語句進行延遲評估，爲低延遲系統提供異步記錄器，並提供無垃圾模式以避免由垃圾收集器操作引起的任何延遲。通過其他語言接口，企業也可以在 C、C++、.Net、PL\/SQL 程序中使用 Log4j。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此次漏洞的出現，正是由用於 Log4j 2 提供的 lookup 功能造成的，該功能允許開發者通過一些協議去讀取相應環境中的配置。但在實現的過程中，並未對輸入進行嚴格的判斷，從而造成漏洞的發生。“微步在線研究響應中心”做了漏洞復現："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/wechat\/images\/eb\/eb48a747e39c17b4752feb8fd8f1e70c.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"簡單來說，就是在打印日誌時，如果發現日誌內容中包含關鍵詞 ${，那麼這個裏面包含的內容會當做變量來進行替換，導致攻擊者可以任意執行命令。詳細漏洞披露可查看："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/issues.apache.org\/jira\/projects\/LOG4J2\/issues\/LOG4J2-3201?filter=allissues","title":"","type":null},"content":[{"type":"text","text":"https:\/\/issues.apache.org\/jira\/projects\/LOG4J2\/issues\/LOG4J2-3201?filter=allissues"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由於線上 web 業務的任何數據都可能寫入 Log4j，甚至一些 pre-auth 的地方，比如註冊、登錄，實際攻擊入口取決於業務具體情況。目前百度搜索、蘋果 iCloud 搜索、360 搜索等都出現了該問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/wechat\/images\/44\/4428c291b95a85d5ca58a2d080ff51d4.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"圖源：公衆號"},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s?__biz=MzI5MDQ2NjExOQ==&mid=2247496216&idx=1&sn=2c85e1ad985e8a37c5ec2b7a5bded7cd&scene=21#wechat_redirect","title":"","type":null},"content":[{"type":"text","text":"“信安之路”"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"12 月 10 日上午，"},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s?__biz=MzI5MzY2MzM0Mw==&mid=2247486239&idx=1&sn=dd3eed8e9065a7f78758effd6ffe2578&scene=21#wechat_redirect","title":"","type":null},"content":[{"type":"text","text":"阿里雲安全團隊"}]},{"type":"text","text":"再次發出預警，發現 Apache Log4j 2.15.0-rc1 版本存在漏洞繞過，建議及時更新至 Apache Log4j 2.15.0-rc2 版本。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於這次漏洞，有網友評價說道，“可以說是災難性的漏洞，比之前的 fastjson 和 shiro 還要嚴重，這個漏洞估計在之後三四年內還會繼續存在….”"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"快速檢測及修復方案"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"針對此次漏洞，“微步在線研究響應中心”也給出了一些應急方案。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"1. 緊急緩解措施"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"（1）修改 jvm 參數 -Dlog4j2.formatMsgNoLookups=true"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"（2）修改配置 log4j2.formatMsgNoLookups=True"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"（3）將系統環境變量 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 設置爲 true"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"2. 檢測方案"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"（1）由於攻擊者在攻擊過程中可能使用 DNSLog 進行漏洞探測，建議企業可以通過流量監測設備監控是否有相關 DNSLog 域名的請求，微步在線的 OneDNS 也已經識別主流 DNSLog 域名並支持攔截。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"（2）根據目前微步在線對於此類漏洞的研究積累，我們建議企業可以通過監測相關流量或者日誌中是否存在“jndi:ldap:\/\/”、“jndi:rmi”等字符來發現可能的攻擊行爲。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"3. 修復方案"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"檢查所有使用了 Log4j 組件的系統，官方修復鏈接如下："},{"type":"link","attrs":{"href":"https:\/\/github.com\/apache\/logging-log4j2\/releases\/tag\/log4j-2.15.0-rc1","title":"","type":null},"content":[{"type":"text","text":"https:\/\/github.com\/apache\/logging-log4j2\/releases\/tag\/log4j-2.15.0-rc1"}]}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"安全應該是一個持續的過程"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"每個人都知道安全的重要性，但安全問題還是頻繁發生。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"去年 5 月，360 網絡安全響應中心發佈“ Fastjson 遠程代碼執行漏洞通告”。通告稱，Java 庫 fastjson <= 1.2.68 版本存在遠程代碼執行漏洞，漏洞被利用可直接獲取服務器權限。該漏洞評定爲“高危漏洞”，影響面“廣泛”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"前年，阿里雲應急響應中心監測到，Apach Shiro 官方披露了其 cookie 持久化參數 rememberMe 加密算法存在漏洞，攻擊者利用 Padding Oracle 攻擊手段可構造惡意的 rememberMe 值，繞過加密算法驗證，執行 java 反序列化操作，最終可導致遠程命令執行獲取服務器權限，風險極大。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"安全本身並不是一個能夠創造價值的功能，反而更像是需要消耗價值以確保功能穩定的功能。中小企業常常沒有足夠的資金投入安全建設，而有資金的企業也會把這部分預算將到最低。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"網絡攻擊成功的可能性以及潛在損失的程度是難以實現估計的，決策者通常是依靠經驗判斷來做決定投入金額。根據 Alex Blau 在哈佛商業評論中的文章中提到的，決策者在作出決定時，會有以下三個誤區："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":1,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"將網絡安全視爲一種防禦。在這個過程中，強大的防火牆和有能力的工程師可以讓他們遠離威脅。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"認爲遵守 NIST 或 FISMA 等安全框架就足夠安全。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"以爲如果近期沒有發生安全漏洞，那麼看起來沒有問題的部分就不需要修復。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這些想法的問題在於，網絡安全不是要解決有限的問題，而應該是一個持續進行的過程。麻省理工學院數字經濟倡議主任 Erik Brynjolfsson 表示，對抗網絡威脅應該被歸到“更高級別的優先考慮項”。他認爲，一些修復並不複雜。雖然增加一些額外的小操作會讓整個流程變長，並增加一點成本，但會讓企業和個人更加安全。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Brynjolfsson 提出，在網絡安全方面，使用公開可用的密碼學通常比爲特定公司構建的專有系統更加安全。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}