突发！Log4j 爆“核弹级”漏洞，Flink、Kafka等至少十多个项目受影响

原創

2021-12-10 14:08

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"昨晚，对很多程序员来说可能是一个不眠之夜。12 月 10 日凌晨，Apache 开源项目 Log4j 的远程代码执行漏洞细节被公开，由于 Log4j 的广泛使用，该漏洞一旦被攻击者利用会造成严重危害。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"据悉，Apache Log4j 2.x <= 2.14.1 版本均回会受到影响。根据“"},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s?__biz=MzA5MDc1NDc1MQ==&mid=2247490981&idx=1&sn=a6cbdc953c90467a598149167fca0c28&scene=21#wechat_redirect","title":"","type":null},"content":[{"type":"text","text":"微步在线研究响应中心"}]},{"type":"text","text":"”消息，可能的受影响应用包括但不限于：Spring-Boot-strater-log4j2、Apache Struts2、Apache Solr、Apache Flink、Apache Druid、Elasticsearch、Flume、Dubbo、Redis、Logstash、Kafka 等。很多互联网企业都连夜做了应急措施。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"截至本文发出，斗鱼、京东、网易、深信服和汽车产业安全应急响应中心皆发文表示，鉴于该漏洞影响范围比较大，业务自查及升级修复需要一定时间，暂不接收 Log4j2 相关的远程代码执行漏洞。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/wechat\/images\/d4\/d42f909789c3b8d422f36c848b89c136.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":false,"pastePass":false}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"lookup 功能造成的漏洞"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Log4j 是一款开源 Java 日志记录工具。日志记录主要用来监视代码中变量的变化情况，周期性的记录到文件中供其他应用进行统计分析工作；跟踪代码运行时轨迹，作为日后审计的依据；担当集成开发环境中的调试器的作用，向文件或控制台打印代码的调试信息。因此，对于程序员来说，日志记录非常重要。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在强调可重用组件开发的今天，Apache 提供的强有力的日志操作包 Log4j。Log4j 可以轻松控制 log 信息是否显示、log 信息的输出端类型、输出方式、输出格式，更加细致地控制日志的生成过程，而其通过配置文件可以灵活地进行配置而不需要大量的更改代码。因此，很多互联网企业都选择使用 Log4j 。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2014 年，Log4j 2 发布。Log4j 2 是对 Log4j 的重大升级，完全重写了 log4j 的日志实现。Log4j 2 提供了 Logback 中可用的许多改进，同时修复了 Logback 架构中的一些固有问题，目前已经更新到 2.15.0 版本。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Log4j2 也支持 SLF4J，可以自动重新加载日志配置，并支持高级过滤选项。此外它还允许基于 lambda 表达式对日志语句进行延迟评估，为低延迟系统提供异步记录器，并提供无垃圾模式以避免由垃圾收集器操作引起的任何延迟。通过其他语言接口，企业也可以在 C、C++、.Net、PL\/SQL 程序中使用 Log4j。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此次漏洞的出现，正是由用于 Log4j 2 提供的 lookup 功能造成的，该功能允许开发者通过一些协议去读取相应环境中的配置。但在实现的过程中，并未对输入进行严格的判断，从而造成漏洞的发生。“微步在线研究响应中心”做了漏洞复现："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/wechat\/images\/eb\/eb48a747e39c17b4752feb8fd8f1e70c.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"简单来说，就是在打印日志时，如果发现日志内容中包含关键词 ${，那么这个里面包含的内容会当做变量来进行替换，导致攻击者可以任意执行命令。详细漏洞披露可查看："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/issues.apache.org\/jira\/projects\/LOG4J2\/issues\/LOG4J2-3201?filter=allissues","title":"","type":null},"content":[{"type":"text","text":"https:\/\/issues.apache.org\/jira\/projects\/LOG4J2\/issues\/LOG4J2-3201?filter=allissues"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由于线上 web 业务的任何数据都可能写入 Log4j，甚至一些 pre-auth 的地方，比如注册、登录，实际攻击入口取决于业务具体情况。目前百度搜索、苹果 iCloud 搜索、360 搜索等都出现了该问题。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/wechat\/images\/44\/4428c291b95a85d5ca58a2d080ff51d4.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"图源：公众号"},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s?__biz=MzI5MDQ2NjExOQ==&mid=2247496216&idx=1&sn=2c85e1ad985e8a37c5ec2b7a5bded7cd&scene=21#wechat_redirect","title":"","type":null},"content":[{"type":"text","text":"“信安之路”"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"12 月 10 日上午，"},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s?__biz=MzI5MzY2MzM0Mw==&mid=2247486239&idx=1&sn=dd3eed8e9065a7f78758effd6ffe2578&scene=21#wechat_redirect","title":"","type":null},"content":[{"type":"text","text":"阿里云安全团队"}]},{"type":"text","text":"再次发出预警，发现 Apache Log4j 2.15.0-rc1 版本存在漏洞绕过，建议及时更新至 Apache Log4j 2.15.0-rc2 版本。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"对于这次漏洞，有网友评价说道，“可以说是灾难性的漏洞，比之前的 fastjson 和 shiro 还要严重，这个漏洞估计在之后三四年内还会继续存在….”"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"快速检测及修复方案"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"针对此次漏洞，“微步在线研究响应中心”也给出了一些应急方案。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"1. 紧急缓解措施"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"（1）修改 jvm 参数 -Dlog4j2.formatMsgNoLookups=true"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"（2）修改配置 log4j2.formatMsgNoLookups=True"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"（3）将系统环境变量 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 设置为 true"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"2. 检测方案"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"（1）由于攻击者在攻击过程中可能使用 DNSLog 进行漏洞探测，建议企业可以通过流量监测设备监控是否有相关 DNSLog 域名的请求，微步在线的 OneDNS 也已经识别主流 DNSLog 域名并支持拦截。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"（2）根据目前微步在线对于此类漏洞的研究积累，我们建议企业可以通过监测相关流量或者日志中是否存在“jndi:ldap:\/\/”、“jndi:rmi”等字符来发现可能的攻击行为。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"3. 修复方案"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"检查所有使用了 Log4j 组件的系统，官方修复链接如下："},{"type":"link","attrs":{"href":"https:\/\/github.com\/apache\/logging-log4j2\/releases\/tag\/log4j-2.15.0-rc1","title":"","type":null},"content":[{"type":"text","text":"https:\/\/github.com\/apache\/logging-log4j2\/releases\/tag\/log4j-2.15.0-rc1"}]}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"安全应该是一个持续的过程"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"每个人都知道安全的重要性，但安全问题还是频繁发生。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"去年 5 月，360 网络安全响应中心发布“ Fastjson 远程代码执行漏洞通告”。通告称，Java 库 fastjson <= 1.2.68 版本存在远程代码执行漏洞，漏洞被利用可直接获取服务器权限。该漏洞评定为“高危漏洞”，影响面“广泛”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"前年，阿里云应急响应中心监测到，Apach Shiro 官方披露了其 cookie 持久化参数 rememberMe 加密算法存在漏洞，攻击者利用 Padding Oracle 攻击手段可构造恶意的 rememberMe 值，绕过加密算法验证，执行 java 反序列化操作，最终可导致远程命令执行获取服务器权限，风险极大。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"安全本身并不是一个能够创造价值的功能，反而更像是需要消耗价值以确保功能稳定的功能。中小企业常常没有足够的资金投入安全建设，而有资金的企业也会把这部分预算将到最低。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"网络攻击成功的可能性以及潜在损失的程度是难以实现估计的，决策者通常是依靠经验判断来做决定投入金额。根据 Alex Blau 在哈佛商业评论中的文章中提到的，决策者在作出决定时，会有以下三个误区："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":1,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"将网络安全视为一种防御。在这个过程中，强大的防火墙和有能力的工程师可以让他们远离威胁。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"认为遵守 NIST 或 FISMA 等安全框架就足够安全。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"以为如果近期没有发生安全漏洞，那么看起来没有问题的部分就不需要修复。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"这些想法的问题在于，网络安全不是要解决有限的问题，而应该是一个持续进行的过程。麻省理工学院数字经济倡议主任 Erik Brynjolfsson 表示，对抗网络威胁应该被归到“更高级别的优先考虑项”。他认为，一些修复并不复杂。虽然增加一些额外的小操作会让整个流程变长，并增加一点成本，但会让企业和个人更加安全。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Brynjolfsson 提出，在网络安全方面，使用公开可用的密码学通常比为特定公司构建的专有系统更加安全。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}

發表評論

所有評論

還沒有人評論，想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.

相關文章

Haskell 实现京东优惠券爬取的详细步骤解析

在當今的電商行業中，優惠券活動是吸引用戶的一種重要方式。京東作爲中國領先的電商平臺之一，其優惠券活動頻繁且多樣，爲用戶提供了豐富的購物體驗。然而，想要及時獲取最新的京東優惠券信息並非易事，尤其是在優惠券數量龐大的情況下。爲了解決這一問題，

2024-04-28 23:27:18

三十分钟入门基础Go（Java小子版）

前言 Go語言定義 Go（又稱 Golang）是 Google 的 Robert Griesemer，Rob Pike 及 Ken Thompson 開發的一種靜態、強類型、編譯型語言。Go 語言語法與 C 相近，但功能上有：內存安

2024-04-25 23:17:43

数据结构笔记浅记（十三）哈希表

「哈希表 hash table」，又稱「散列表」，它通過建立鍵 key 與值 value 之間的映射，實現高效的元素查詢。具體而言，我們向哈希表中輸入一個鍵 key ，則可以在 𝑂(1) 時間內獲取對應的值 value 。從本質上看，哈

2024-04-24 23:39:16

数组和链表的适用场景

簡介在計算機中要對給定的數據集進行若干處理，首要任務是把數據集的一部分（當數據量非常大時，可能只能一部分一部分地讀取數據到內存中來處理）或全部存儲到內存中，然後再對內存中的數據進行各種處理。例如，對於數據集 S{1，2，3，4，5，6

2024-04-24 09:31:34

下载量超 200 万，最近频繁登上热搜的 AI 程序员，大家怎么看

人狠話不多，會熟練使用 200 多種編程語言，寫得了代碼，做得了測試，7 天 24 小時隨叫隨到…… 硅基程序員通義靈碼首次入職阿里雲，有網友說：終於不穿格子衫了！還有網友說：這簡歷，作爲一個 HR 我很難不心動！人狠話不多的通義靈碼，

2024-04-22 21:12:06

基于信息安全的软测工具链解决方案

伴隨着汽車與外界的交互手段不斷豐富，車聯網相關設備、系統間的數據交互更加頻繁，萬物互聯下的網絡攻擊也逐漸滲透延伸到車聯網的領域。汽車行業面臨着重大的信息安全挑戰。此外，UNECE WP.29 R155和ISO/SAE 21434

2024-04-18 22:43:26

初探Java编程——开启你的编程之旅

標題：初探Java編程——開啓你的編程之旅摘要：本文主要介紹了Java編程語言的基本概念、特點以及如何搭建Java開發環境。通過簡單的實例，讓讀者初步瞭解Java編程，爲其後續學習打下基礎。一、Java概述 Java是一種面

2024-04-17 00:39:23

五一假期畅游指南：Python技术构建的热门景点分析系统解读

導言五一假期即將到來，作爲一名熱愛旅遊的技術達人，我總是希望能夠通過技術手段更好地規劃我的旅行路線。在這篇文章中，我將向大家介紹一款基於Python技術的熱門景點分析系統，幫助您在五一假期中游玩得更加盡興！ 1. 系統概述熱門景點

2024-04-16 23:25:46

Hugging Face推出全新代码大模型：支持80+编程语言，集成VSCode

隨着人工智能技術的不斷髮展，代碼大模型成爲了近年來備受矚目的技術熱點。作爲自然語言處理領域的領軍企業，Hugging Face近日推出了一款全新的代碼大模型，該模型支持80+種編程語言，並與VSCode進行了集成，爲用戶提供了前所未有的代碼

2024-04-16 11:29:25

裁员了！别错过2024年大数据工程师必备的10项技能

在當今快速發展的世界中，數據被視爲新的石油。隨着對數據驅動洞察的日益依賴，大數據工程師的角色比以往任何時候都更爲關鍵。這些專業人員在管理和優化組織內的數據操作中扮演着至關重要的角色。在本文中，我們將探索2024年大數據工程師必須具備的十

2024-04-16 11:00:53

实现“代码可视化”需要了解的前置知识-编译器前端

1. 前言 “代碼可視化”的概念定義和業界案例在前文中已經進行了講述，綜述可閱讀淺析“代碼可視化”，更多相關知識可查看專欄“代碼可視化”。本文梳理了“代碼可視化”功能開發需要前置瞭解的編譯器前端部分知識，因能力有限若有解釋不清和錯誤的地方

2024-04-12 23:16:44

智能Java开发工具IntelliJ IDEA v2024.1震撼发布——让开发工作更简单！

IntelliJ IDEA，是java編程語言開發的集成環境。IntelliJ在業界被公認爲最好的java開發工具，尤其在智能代碼助手、代碼自動提示、重構、JavaEE支持、各類版本工具(git、svn等)、JUnit、CVS整合、代碼分析

2024-04-12 11:33:56

数据结构笔记浅记（九）存储设备

物理結構在很大程度上決定了程序對內存和緩存的使用效率，進而影響算法程序的整體性能。由於存儲數據的需要長久保存，並且內存的價格比硬盤貴太多，因此內存無法取代硬盤。緩存的大容量和高速度難以兼得。隨着 L1、L2、L3 緩存的容量逐步增大

2024-04-08 23:38:13

京东云“智能编码”上线了！免费试用

智能編碼JoyCoder 是一款基於大語言模型、適配多種 IDE 的智能編程助手，可以爲研發人員提供代碼預測續寫、UI 草圖轉前端代碼、生成單元測試、代碼安全漏洞自動識別及修復、一鍵生成接口文檔、AI 智能問答等功能。助力開發者高效、流暢、

2024-04-02 23:16:35

Testwell CTC++10.1.0 新版持续支持ASPICE认证，软件全面升级！

Testwell CTC++是業界領先的代碼覆蓋率分析工具。該工具支持廣泛的編程語言和多種認證標準，特別是在安全關鍵領域，如航空航天、汽車、醫療設備和工業控制系統等。幫助開發和測試團隊精確測量測試過程中代碼的執行情況，有效提升軟件的可靠性

2024-04-02 21:28:37

24小時熱門文章

最新文章

最新評論文章