突發!Log4j 爆“核彈級”漏洞,Flink、Kafka等至少十多個項目受影響

原創 褚杏娟 2021-12-10 14:08
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"昨晚,對很多程序員來說可能是一個不眠之夜。12 月 10 日凌晨,Apache 開源項目 Log4j 的遠程代碼執行漏洞細節被公開,由於 Log4j 的廣泛使用,該漏洞一旦被攻擊者利用會造成嚴重危害。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"據悉,Apache Log4j 2.x <= 2.14.1 版本均回會受到影響。根據“"},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s?__biz=MzA5MDc1NDc1MQ==&mid=2247490981&idx=1&sn=a6cbdc953c90467a598149167fca0c28&scene=21#wechat_redirect","title":"","type":null},"content":[{"type":"text","text":"微步在線研究響應中心"}]},{"type":"text","text":"”消息,可能的受影響應用包括但不限於:Spring-Boot-strater-log4j2、Apache Struts2、Apache Solr、Apache Flink、Apache Druid、Elasticsearch、Flume、Dubbo、Redis、Logstash、Kafka 等。很多互聯網企業都連夜做了應急措施。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"截至本文發出,鬥魚、京東、網易、深信服和汽車產業安全應急響應中心皆發文表示,鑑於該漏洞影響範圍比較大,業務自查及升級修復需要一定時間,暫不接收 Log4j2 相關的遠程代碼執行漏洞。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/wechat\/images\/d4\/d42f909789c3b8d422f36c848b89c136.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":false,"pastePass":false}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"lookup 功能造成的漏洞"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Log4j 是一款開源 Java 日誌記錄工具。日誌記錄主要用來監視代碼中變量的變化情況,週期性的記錄到文件中供其他應用進行統計分析工作;跟蹤代碼運行時軌跡,作爲日後審計的依據;擔當集成開發環境中的調試器的作用,向文件或控制檯打印代碼的調試信息。因此,對於程序員來說,日誌記錄非常重要。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在強調可重用組件開發的今天,Apache 提供的強有力的日誌操作包 Log4j。Log4j 可以輕鬆控制 log 信息是否顯示、log 信息的輸出端類型、輸出方式、輸出格式,更加細緻地控制日誌的生成過程,而其通過配置文件可以靈活地進行配置而不需要大量的更改代碼。因此,很多互聯網企業都選擇使用 Log4j 。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2014 年,Log4j 2 發佈。Log4j 2 是對 Log4j 的重大升級,完全重寫了 log4j 的日誌實現。Log4j 2 提供了 Logback 中可用的許多改進,同時修復了 Logback 架構中的一些固有問題,目前已經更新到 2.15.0 版本。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Log4j2 也支持 SLF4J,可以自動重新加載日誌配置,並支持高級過濾選項。此外它還允許基於 lambda 表達式對日誌語句進行延遲評估,爲低延遲系統提供異步記錄器,並提供無垃圾模式以避免由垃圾收集器操作引起的任何延遲。通過其他語言接口,企業也可以在 C、C++、.Net、PL\/SQL 程序中使用 Log4j。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此次漏洞的出現,正是由用於 Log4j 2 提供的 lookup 功能造成的,該功能允許開發者通過一些協議去讀取相應環境中的配置。但在實現的過程中,並未對輸入進行嚴格的判斷,從而造成漏洞的發生。“微步在線研究響應中心”做了漏洞復現:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/wechat\/images\/eb\/eb48a747e39c17b4752feb8fd8f1e70c.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"簡單來說,就是在打印日誌時,如果發現日誌內容中包含關鍵詞 ${,那麼這個裏面包含的內容會當做變量來進行替換,導致攻擊者可以任意執行命令。詳細漏洞披露可查看:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/issues.apache.org\/jira\/projects\/LOG4J2\/issues\/LOG4J2-3201?filter=allissues","title":"","type":null},"content":[{"type":"text","text":"https:\/\/issues.apache.org\/jira\/projects\/LOG4J2\/issues\/LOG4J2-3201?filter=allissues"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由於線上 web 業務的任何數據都可能寫入 Log4j,甚至一些 pre-auth 的地方,比如註冊、登錄,實際攻擊入口取決於業務具體情況。目前百度搜索、蘋果 iCloud 搜索、360 搜索等都出現了該問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/wechat\/images\/44\/4428c291b95a85d5ca58a2d080ff51d4.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"圖源:公衆號"},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s?__biz=MzI5MDQ2NjExOQ==&mid=2247496216&idx=1&sn=2c85e1ad985e8a37c5ec2b7a5bded7cd&scene=21#wechat_redirect","title":"","type":null},"content":[{"type":"text","text":"“信安之路”"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"12 月 10 日上午,"},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s?__biz=MzI5MzY2MzM0Mw==&mid=2247486239&idx=1&sn=dd3eed8e9065a7f78758effd6ffe2578&scene=21#wechat_redirect","title":"","type":null},"content":[{"type":"text","text":"阿里雲安全團隊"}]},{"type":"text","text":"再次發出預警,發現 Apache Log4j 2.15.0-rc1 版本存在漏洞繞過,建議及時更新至 Apache Log4j 2.15.0-rc2 版本。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於這次漏洞,有網友評價說道,“可以說是災難性的漏洞,比之前的 fastjson 和 shiro 還要嚴重,這個漏洞估計在之後三四年內還會繼續存在….”"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"快速檢測及修復方案"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"針對此次漏洞,“微步在線研究響應中心”也給出了一些應急方案。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"1. 緊急緩解措施"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"(1)修改 jvm 參數 -Dlog4j2.formatMsgNoLookups=true"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"(2)修改配置 log4j2.formatMsgNoLookups=True"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"(3)將系統環境變量 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 設置爲 true"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"2. 檢測方案"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"(1)由於攻擊者在攻擊過程中可能使用 DNSLog 進行漏洞探測,建議企業可以通過流量監測設備監控是否有相關 DNSLog 域名的請求,微步在線的 OneDNS 也已經識別主流 DNSLog 域名並支持攔截。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"(2)根據目前微步在線對於此類漏洞的研究積累,我們建議企業可以通過監測相關流量或者日誌中是否存在“jndi:ldap:\/\/”、“jndi:rmi”等字符來發現可能的攻擊行爲。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"3. 修復方案"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"檢查所有使用了 Log4j 組件的系統,官方修復鏈接如下:"},{"type":"link","attrs":{"href":"https:\/\/github.com\/apache\/logging-log4j2\/releases\/tag\/log4j-2.15.0-rc1","title":"","type":null},"content":[{"type":"text","text":"https:\/\/github.com\/apache\/logging-log4j2\/releases\/tag\/log4j-2.15.0-rc1"}]}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"安全應該是一個持續的過程"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"每個人都知道安全的重要性,但安全問題還是頻繁發生。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"去年 5 月,360 網絡安全響應中心發佈“ Fastjson 遠程代碼執行漏洞通告”。通告稱,Java 庫 fastjson <= 1.2.68 版本存在遠程代碼執行漏洞,漏洞被利用可直接獲取服務器權限。該漏洞評定爲“高危漏洞”,影響面“廣泛”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"前年,阿里雲應急響應中心監測到,Apach Shiro 官方披露了其 cookie 持久化參數 rememberMe 加密算法存在漏洞,攻擊者利用 Padding Oracle 攻擊手段可構造惡意的 rememberMe 值,繞過加密算法驗證,執行 java 反序列化操作,最終可導致遠程命令執行獲取服務器權限,風險極大。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"安全本身並不是一個能夠創造價值的功能,反而更像是需要消耗價值以確保功能穩定的功能。中小企業常常沒有足夠的資金投入安全建設,而有資金的企業也會把這部分預算將到最低。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"網絡攻擊成功的可能性以及潛在損失的程度是難以實現估計的,決策者通常是依靠經驗判斷來做決定投入金額。根據 Alex Blau 在哈佛商業評論中的文章中提到的,決策者在作出決定時,會有以下三個誤區:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":1,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"將網絡安全視爲一種防禦。在這個過程中,強大的防火牆和有能力的工程師可以讓他們遠離威脅。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"認爲遵守 NIST 或 FISMA 等安全框架就足夠安全。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"以爲如果近期沒有發生安全漏洞,那麼看起來沒有問題的部分就不需要修復。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這些想法的問題在於,網絡安全不是要解決有限的問題,而應該是一個持續進行的過程。麻省理工學院數字經濟倡議主任 Erik Brynjolfsson 表示,對抗網絡威脅應該被歸到“更高級別的優先考慮項”。他認爲,一些修復並不複雜。雖然增加一些額外的小操作會讓整個流程變長,並增加一點成本,但會讓企業和個人更加安全。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Brynjolfsson 提出,在網絡安全方面,使用公開可用的密碼學通常比爲特定公司構建的專有系統更加安全。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

數據結構筆記淺記(十三) 哈希表

「哈希表 hash table」,又稱「散列表」,它通過建立鍵 key 與值 value 之間的映射,實現高效的元素查詢。具體而言,我們向哈希表中輸入一個鍵 key ,則可以在 𝑂(1) 時間內獲取對應的值 value 。 從本質上看,哈

原創 2024-04-24 23:39:16

數組和鏈表的適用場景

簡介 在計算機中要對給定的數據集進行若干處理,首要任務是把數據集的一部分(當數據量非常大時,可能只能一部分一部分地讀取數據到內存中來處理)或全部存儲到內存中,然後再對內存中的數據進行各種處理。例如,對於數據集 S{1,2,3,4,5,6

原創 2024-04-24 09:31:34

下載量超 200 萬,最近頻繁登上熱搜的 AI 程序員,大家怎麼看

人狠話不多,會熟練使用 200 多種編程語言,寫得了代碼,做得了測試,7 天 24 小時隨叫隨到…… 硅基程序員通義靈碼首次入職阿里雲,有網友說:終於不穿格子衫了! 還有網友說:這簡歷,作爲一個 HR 我很難不心動! 人狠話不多的通義靈碼,

原創 2024-04-22 21:12:06

基於信息安全的軟測工具鏈解決方案

      伴隨着汽車與外界的交互手段不斷豐富,車聯網相關設備、系統間的數據交互更加頻繁,萬物互聯下的網絡攻擊也逐漸滲透延伸到車聯網的領域。汽車行業面臨着重大的信息安全挑戰。此外,UNECE WP.29 R155和ISO/SAE 21434

原創 2024-04-18 22:43:26

初探Java編程——開啓你的編程之旅

標題:初探Java編程——開啓你的編程之旅 摘要:本文主要介紹了Java編程語言的基本概念、特點以及如何搭建Java開發環境。通過簡單的實例,讓讀者初步瞭解Java編程,爲其後續學習打下基礎。 一、Java概述 Java是一種面

原創 2024-04-17 00:39:23

五一假期暢遊指南:Python技術構建的熱門景點分析系統解讀

導言 五一假期即將到來,作爲一名熱愛旅遊的技術達人,我總是希望能夠通過技術手段更好地規劃我的旅行路線。在這篇文章中,我將向大家介紹一款基於Python技術的熱門景點分析系統,幫助您在五一假期中游玩得更加盡興! 1. 系統概述 熱門景點

原創 2024-04-16 23:25:46

Hugging Face推出全新代碼大模型:支持80+編程語言,集成VSCode

隨着人工智能技術的不斷髮展,代碼大模型成爲了近年來備受矚目的技術熱點。作爲自然語言處理領域的領軍企業,Hugging Face近日推出了一款全新的代碼大模型,該模型支持80+種編程語言,並與VSCode進行了集成,爲用戶提供了前所未有的代碼

原創 2024-04-16 11:29:25

裁員了!別錯過2024年大數據工程師必備的10項技能

在當今快速發展的世界中,數據被視爲新的石油。隨着對數據驅動洞察的日益依賴,大數據工程師的角色比以往任何時候都更爲關鍵。 這些專業人員在管理和優化組織內的數據操作中扮演着至關重要的角色。在本文中,我們將探索2024年大數據工程師必須具備的十

原創 2024-04-16 11:00:53

實現“代碼可視化”需要了解的前置知識-編譯器前端

1. 前言 “代碼可視化”的概念定義和業界案例在前文中已經進行了講述,綜述可閱讀淺析“代碼可視化”,更多相關知識可查看專欄“代碼可視化”。本文梳理了“代碼可視化”功能開發需要前置瞭解的編譯器前端部分知識,因能力有限若有解釋不清和錯誤的地方

原創 2024-04-12 23:16:44

智能Java開發工具IntelliJ IDEA v2024.1震撼發佈——讓開發工作更簡單!

IntelliJ IDEA,是java編程語言開發的集成環境。IntelliJ在業界被公認爲最好的java開發工具,尤其在智能代碼助手、代碼自動提示、重構、JavaEE支持、各類版本工具(git、svn等)、JUnit、CVS整合、代碼分析

原創 2024-04-12 11:33:56

數據結構筆記淺記(九)存儲設備

物理結構在很大程度上決定了程序對內存和緩存的使用效率,進而影響算法程序的整體性能。 由於存儲數據的需要長久保存,並且內存的價格比硬盤貴太多,因此內存無法取代硬盤。 緩存的大容量和高速度難以兼得。隨着 L1、L2、L3 緩存的容量逐步增大

原創 2024-04-08 23:38:13

京東雲“智能編碼”上線了!免費試用

智能編碼JoyCoder 是一款基於大語言模型、適配多種 IDE 的智能編程助手,可以爲研發人員提供代碼預測續寫、UI 草圖轉前端代碼、生成單元測試、代碼安全漏洞自動識別及修復、一鍵生成接口文檔、AI 智能問答等功能。助力開發者高效、流暢、

原創 2024-04-02 23:16:35

Testwell CTC++10.1.0 新版持續支持ASPICE認證,軟件全面升級!

Testwell CTC++是業界領先的代碼覆蓋率分析工具。該工具支持廣泛的編程語言和多種認證標準,特別是在安全關鍵領域,如航空航天、汽車、醫療設備和工業控制系統等。幫助開發和測試團隊精確測量測試過程中代碼的執行情況,有效提升軟件的可靠性

原創 2024-04-02 21:28:37

讓你的文檔從靜態展示到一鍵部署可操作驗證

作者:慕扉 用戶在根據文檔進行操作時,會出現根據文檔內容搭建環境困難、代碼調試失敗、功能無法使用的情況,主要是由於文檔中有年久失修、沒人維護、無法跑通的代碼,給用戶快速上手帶來很多的挑戰。 爲了解決文檔中的這些用戶體驗問題,通過函數計算的能

原創 2024-04-02 21:12:11

Kotlin高效App爬取工具:利用HttpClient與代理服務器的技巧

在當今數字化時代,移動應用(App)數據的價值日益凸顯,而爲了獲取並分析這些數據,開發高效的數據爬取工具變得至關重要。Kotlin作爲一種現代化、功能強大的編程語言,與HttpClient等強大工具的結合,爲構建高效的App數據爬取工具提

原創 2024-03-28 00:45:02