{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"12 月 10 日凌晨,Apache 開源項目 Log4j 的遠程代碼執行漏洞細節被公開,由於 Log4j 的廣泛使用,該漏洞一旦被攻擊者利用會造成嚴重危害。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Log4j 是一個被許多 Java 應用程序使用的庫,它是迄今爲止最普遍的 Java 庫之一。Log4j安全問題圍繞 Log4j 庫中的一個錯誤展開,該錯誤可能允許攻擊者在使用 Log4j 寫出日誌消息的系統上執行任意代碼。這個安全漏洞影響廣泛,該漏洞一旦被攻擊者利用會造成嚴重危害。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"隨着Log4j安全漏洞問題的持續發酵,一些天天唱衰Java的傢伙,又開始藉助這一漏洞問題將矛頭指向Java。他們總愛發文發帖、強調這種已經擁有25年曆史的頂級編程語言就快不行了。不過每次Java都能挺過來,繼續爲全球無數開發者服務。這裏我先要承認,不少安全廠商針對log4j2漏洞利用原理髮布的文章確實意義重大。這個安全問題確實值得大家保持關注,也推薦各位儘快根據建議審查自己的Java項目是否存在隱患。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"在本文中,我想着重聊聊Java生態系統,探討日誌記錄框架是什麼、爲什麼\/該怎麼使用這些框架,以及開發團隊要如何觀察並控制自己JVM的活動模式。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Java開發者們的安全責任"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Java開發者們應該如何保證安全性?答案很簡單——只要快速修復JDK和庫,我們就能規避大多數潛在的普遍性違規問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"修復庫(必選)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"一旦發現庫內存在漏洞,最有效的方法當然是修復庫以消除漏洞。若不及時修復,你的應用程序很可能被黑客入侵,攻擊者將獲得對目標系統及其數據的完全訪問權限。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}},{"type":"strong"}],"text":"而無論面對什麼狀況,修復都是最有效的應對手段。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"日誌框架可以來自任何依賴項——既可以是傳遞依賴項(由其他庫添加),也可以是直接依賴項(由你自己添加)。我們可以使用Contrast Community Edition等分析工具檢查當前依賴項及其他自定義漏洞。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"此外,Maven dependency tree (dependency:tree) 與 "},{"type":"link","attrs":{"href":"https:\/\/docs.gradle.org\/current\/userguide\/viewing_debugging_dependencies.html","title":null,"type":null},"content":[{"type":"text","text":"Gradle dependency tree"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"也都是很好的開源依賴項分析工具。NetBeans等IDE則提供依賴項關係圖可視化工具。只要升級至2.15.0或更高版本,log4j2漏洞就不會再騷擾各位。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"按照Java安全基準(推薦、定期)修復JRE"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"各個Java主版本都會維護一套持續性的安全基準。由於JDK每個季度都會通過新一輪安全改進實施修復,所以這套基準也在持續前進。換言之,任何低於當前安全基準的Java安裝包都包含某些已知安全問題,應立即進行更新。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"當然,這只是標準的安全最佳實踐,與log4j2庫漏洞沒有直接關係、也解決不了這個漏洞。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"但開發團隊仍然應該使用Foojay Disco API自動監控安全基準並升級現有系統。開發人員可以將其與GitHub操作匹配起來,確保代碼中的每個build都切實引入了最新安全更新。而一旦安全事件出現,升級JRE與代碼的重構與重新部署也將同步進行。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Java安全基準會在每年1月、4月、7月和10月最靠近17號的那個星期二迎來更新。詳細信息請參考Oracle重要補丁更新計劃,具體方式與OpenJDK漏洞組保持相同。當然,有時候即使沒有大問題、官方也可能提供計劃外的安全更新。Log4j2並不屬於此類。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"下面我們以Java 11中的安全基準配置爲例:"}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"jobs:\njava11:\nruns-on: ${{ matrix.os }}\nstrategy:\nmatrix:\nos: [ubuntu-latest, macos-latest, windows-latest]\nupdate: [x]\npackage: [jdk, jre]\nfail-fast: false\nmax-parallel: 4\nname: ${{ matrix.package }} 11.0.${{ matrix.update }}, ${{ matrix.os }}\nsteps:\n- uses: actions\/checkout@v1\n- name: Set up JDK 11 Zulu\nuses: foojayio\/setup-java@disco\nwith:\njava-package: ${{ matrix.package }}\njava-version: 11.0.${{ matrix.update }}\ndistro: zulu\n- name: java -version\nrun: java -version"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"定期檢測自定義安全漏洞(測試中,推薦)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"自動化安全工具能幫助我們在缺乏相關知識時仍準確捕捉到安全漏洞。通過將集成代理添加至Java應用程序當中,大家即可對應用程序中記錄的安全信息進行被動檢測。與前文提到的分析依賴項編號以確定是否存在漏洞的工具不同,這些自動化安全工具雖然也會跟蹤同樣的依賴項信息,但會通過集成分析器告知各現有庫間的組合效果、特別是配合使用是否安全。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"例如,集成分析器並不會簡單查看是否存在log4j2漏洞及其版本,而是檢測遠程輸入記錄功能是否會被攻擊者所控制。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"此外,Contrast Community Edition等免費分析工具也能捕捉log4j2零日漏洞及其他多種安全缺陷的行蹤,例如:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"我的應用程序中是否包含SQL注入缺陷,例如在Hibernate、JBDC或者其他位置?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"遠程攻擊者能否控制發送至Runtime.exec的任何輸入,進而導致命令注入漏洞?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"我的應用程序中使用到哪些加密算法,具體用在何處、是否符合適當的安全標準?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"我們是否正以某種非常規、有風險的方式組合不同庫,例如OGNL輸入解析?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"使用JDK Flight Recorder監控安全事件"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"JDK Flight Recorder是各類現代OpenJDK發行版中普遍提供的性能分析工具,能夠以低資源成本提供安全信息。開發團隊可以使用JDK Flight Recorder記錄下諸多IO操作,例如JRE訪問過哪些文件、或者哪些類與反序列化配對。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"通過使用JDK Flight Recorder監控Java應用程序事件,並將事件流傳輸至安全信息與事件管理(SIEM)系統當中,Java團隊即可監控異常行爲並\/或是將已知安全類同Java反序列化過濾器相配對,因此防止漏洞利用行爲。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"哪些安全努力不值得嘗試"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"以log4j2場景爲例,Web應用程序防火牆(WAF)等類似的網絡防禦方案雖然在短期內會有一定效果,但整體表現不佳而且工作量極爲巨大。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"網絡防禦成效捉急。大家可能都聽過網上流傳的段子,有人用Photoshop精心設計出一張看似正常、似藏玄機的車牌,識別系統一掃就會遭遇注射攻擊。這辦法絕了,因爲開發者知道車牌識別系統會嘗試解析和記錄一切通過計算機視覺捕捉到的內容,而且這部分注入數據壓根不用經過網絡層。同樣的,大多數應用程序也會有針對性地使用部分數據、解碼數據並記錄下各類細節。很明顯,任何網絡工具都沒辦法覆蓋到如此廣泛的攻擊面。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"監控並跟蹤攻擊者,第一時間屏蔽其IP同樣效果不佳。雖然有些組織會堅持維護一套潛在攻擊者清單,但AWS IP之所以被命名爲Elastic(彈性),正是因爲它們會定期更改。即使拉黑一個,對方要麼可以等自然解禁、要麼就是換個IP繼續攻擊。"}]}]}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"系統屬性與動態補丁:效果尚可"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"我們可以使用幾個系統屬性與補丁控制住log4j2的肆意活動。如果暫時無法更新庫或者依賴項,那這些就是最合理的過渡性安全問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"兩項Java系統屬性:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Dcom.sun.jndi.rmiobject.trustURLCodebase=false"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Dcom.sun.jndi.cosnaming.object.trustURLCodebase=false"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"將它們設置爲false即可阻止遠程加載。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"另有一個動態補丁能夠接入當前運行的JVM並執行修復。它的問題是,我們每次啓動JVM都需要再次運行此補丁。在一部分用例中這樣就夠了,只是肯定不如直接更新庫來得方便。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Java是如何處理日誌記錄的?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Java開發者通常會從多種日誌記錄系統和外觀中做出選擇。隨着社區的多年發展、合併和交融,各類日誌記錄框架往往已經能夠彼此協同運作:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/docs.oracle.com\/javase\/9\/docs\/api\/java\/lang\/System.html","title":null,"type":null},"content":[{"type":"text","text":"System Logger"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" (2017年,推薦)在JDK 9中被首次引入。它改進了JDK Logger的API,並提供類似於SLF4j的外觀,能夠將JDK日誌重新定向至應用程序團隊指定的記錄器處。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"JDK Logger (2004年)於Java 1.4版本中被引入。它特別常見,只是API顯得有點陳舊了。雖然也能用,但不像其他日誌記錄框架那麼靈便。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/logging.apache.org\/log4j\/2.x\/","title":null,"type":null},"content":[{"type":"text","text":"Log4j與Log4j2"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" 屬於社區開發的記錄器。它們改進了API,讓團隊能夠輕鬆控制需要記錄的內容、檢索特定數據何時出現在哪些層級。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"http:\/\/logback.qos.ch\/","title":null,"type":null},"content":[{"type":"text","text":"Logback"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" 與 "},{"type":"link","attrs":{"href":"http:\/\/www.slf4j.org\/","title":null,"type":null},"content":[{"type":"text","text":"SLF4j"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" 也是兩款頗具人氣的記錄器。SLF4J屬於一套相對簡單的日誌記錄外觀,可幫助團隊管理其他多種記錄器——庫維護人員將直接登錄到SLF4J,之後再由應用程序開發人員具體配置要使用哪些底層記錄器提供統一的輸出結果。除了高質量AIP之外,二者還最大限度減少了我們需要面對的依賴項。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/docs.jboss.org\/process-guide\/en\/html\/logging.html","title":null,"type":null},"content":[{"type":"text","text":"JBoss Logger"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" 是JBoss生態系統中的另一款流行記錄器,運行狀態穩定且速度很快。它現在已經能夠支持Quarkus等多種其他日誌記錄框架。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Apache Commons-Logging(2002年)的歷史比JDK Logger更長,也啓發了後來諸多API。它的最後一個版本發佈於2014年,之後隨着從單一項目向跨項目API的用戶趨勢變化而沒落。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"2022年最推薦的Logger方案"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"對於依賴項較少、發佈時間不長的新興項目,這裏建議大家優先考慮System Logger。對於包含大量依賴項的項目,我們則建議繼續遵循大部分依賴項的對接的既有記錄器、或者使用統一的日誌記錄外觀(門面)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"如果你之前並沒有使用任何記錄器,則可以把System Logger當成是具有良好API的JDK Logger來使用。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"參考鏈接:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/www.infoworld.com\/article\/3644492\/how-to-detect-the-log4j-vulnerability-in-your-applications.html","title":null,"type":null},"content":[{"type":"text","text":"https:\/\/www.infoworld.com\/article\/3644492\/how-to-detect-the-log4j-vulnerability-in-your-applications.html"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/foojay.io\/today\/log4j-isnt-killing-java\/","title":null,"type":null},"content":[{"type":"text","text":"https:\/\/foojay.io\/today\/log4j-isnt-killing-java\/"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]}]}]}
再嚴重的Log4j2 漏洞也傷害不了Java
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"12 月 10 日凌晨,Apache 開源項目 Log4j 的遠程代碼執行漏洞細節被公開,由於 Log4j 的廣泛使用,該漏洞一旦被攻擊者利用會造成嚴重危害。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Log4j 是一個被許多 Java 應用程序使用的庫,它是迄今爲止最普遍的 Java 庫之一。Log4j安全問題圍繞 Log4j 庫中的一個錯誤展開,該錯誤可能允許攻擊者在使用 Log4j 寫出日誌消息的系統上執行任意代碼。這個安全漏洞影響廣泛,該漏洞一旦被攻擊者利用會造成嚴重危害。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"隨着Log4j安全漏洞問題的持續發酵,一些天天唱衰Java的傢伙,又開始藉助這一漏洞問題將矛頭指向Java。他們總愛發文發帖、強調這種已經擁有25年曆史的頂級編程語言就快不行了。不過每次Java都能挺過來,繼續爲全球無數開發者服務。這裏我先要承認,不少安全廠商針對log4j2漏洞利用原理髮布的文章確實意義重大。這個安全問題確實值得大家保持關注,也推薦各位儘快根據建議審查自己的Java項目是否存在隱患。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"在本文中,我想着重聊聊Java生態系統,探討日誌記錄框架是什麼、爲什麼\/該怎麼使用這些框架,以及開發團隊要如何觀察並控制自己JVM的活動模式。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Java開發者們的安全責任"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Java開發者們應該如何保證安全性?答案很簡單——只要快速修復JDK和庫,我們就能規避大多數潛在的普遍性違規問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"修復庫(必選)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"一旦發現庫內存在漏洞,最有效的方法當然是修復庫以消除漏洞。若不及時修復,你的應用程序很可能被黑客入侵,攻擊者將獲得對目標系統及其數據的完全訪問權限。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}},{"type":"strong"}],"text":"而無論面對什麼狀況,修復都是最有效的應對手段。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"日誌框架可以來自任何依賴項——既可以是傳遞依賴項(由其他庫添加),也可以是直接依賴項(由你自己添加)。我們可以使用Contrast Community Edition等分析工具檢查當前依賴項及其他自定義漏洞。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"此外,Maven dependency tree (dependency:tree) 與 "},{"type":"link","attrs":{"href":"https:\/\/docs.gradle.org\/current\/userguide\/viewing_debugging_dependencies.html","title":null,"type":null},"content":[{"type":"text","text":"Gradle dependency tree"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"也都是很好的開源依賴項分析工具。NetBeans等IDE則提供依賴項關係圖可視化工具。只要升級至2.15.0或更高版本,log4j2漏洞就不會再騷擾各位。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"按照Java安全基準(推薦、定期)修復JRE"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"各個Java主版本都會維護一套持續性的安全基準。由於JDK每個季度都會通過新一輪安全改進實施修復,所以這套基準也在持續前進。換言之,任何低於當前安全基準的Java安裝包都包含某些已知安全問題,應立即進行更新。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"當然,這只是標準的安全最佳實踐,與log4j2庫漏洞沒有直接關係、也解決不了這個漏洞。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"但開發團隊仍然應該使用Foojay Disco API自動監控安全基準並升級現有系統。開發人員可以將其與GitHub操作匹配起來,確保代碼中的每個build都切實引入了最新安全更新。而一旦安全事件出現,升級JRE與代碼的重構與重新部署也將同步進行。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Java安全基準會在每年1月、4月、7月和10月最靠近17號的那個星期二迎來更新。詳細信息請參考Oracle重要補丁更新計劃,具體方式與OpenJDK漏洞組保持相同。當然,有時候即使沒有大問題、官方也可能提供計劃外的安全更新。Log4j2並不屬於此類。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"下面我們以Java 11中的安全基準配置爲例:"}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"jobs:\njava11:\nruns-on: ${{ matrix.os }}\nstrategy:\nmatrix:\nos: [ubuntu-latest, macos-latest, windows-latest]\nupdate: [x]\npackage: [jdk, jre]\nfail-fast: false\nmax-parallel: 4\nname: ${{ matrix.package }} 11.0.${{ matrix.update }}, ${{ matrix.os }}\nsteps:\n- uses: actions\/checkout@v1\n- name: Set up JDK 11 Zulu\nuses: foojayio\/setup-java@disco\nwith:\njava-package: ${{ matrix.package }}\njava-version: 11.0.${{ matrix.update }}\ndistro: zulu\n- name: java -version\nrun: java -version"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"定期檢測自定義安全漏洞(測試中,推薦)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"自動化安全工具能幫助我們在缺乏相關知識時仍準確捕捉到安全漏洞。通過將集成代理添加至Java應用程序當中,大家即可對應用程序中記錄的安全信息進行被動檢測。與前文提到的分析依賴項編號以確定是否存在漏洞的工具不同,這些自動化安全工具雖然也會跟蹤同樣的依賴項信息,但會通過集成分析器告知各現有庫間的組合效果、特別是配合使用是否安全。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"例如,集成分析器並不會簡單查看是否存在log4j2漏洞及其版本,而是檢測遠程輸入記錄功能是否會被攻擊者所控制。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"此外,Contrast Community Edition等免費分析工具也能捕捉log4j2零日漏洞及其他多種安全缺陷的行蹤,例如:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"我的應用程序中是否包含SQL注入缺陷,例如在Hibernate、JBDC或者其他位置?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"遠程攻擊者能否控制發送至Runtime.exec的任何輸入,進而導致命令注入漏洞?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"我的應用程序中使用到哪些加密算法,具體用在何處、是否符合適當的安全標準?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"我們是否正以某種非常規、有風險的方式組合不同庫,例如OGNL輸入解析?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"使用JDK Flight Recorder監控安全事件"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"JDK Flight Recorder是各類現代OpenJDK發行版中普遍提供的性能分析工具,能夠以低資源成本提供安全信息。開發團隊可以使用JDK Flight Recorder記錄下諸多IO操作,例如JRE訪問過哪些文件、或者哪些類與反序列化配對。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"通過使用JDK Flight Recorder監控Java應用程序事件,並將事件流傳輸至安全信息與事件管理(SIEM)系統當中,Java團隊即可監控異常行爲並\/或是將已知安全類同Java反序列化過濾器相配對,因此防止漏洞利用行爲。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"哪些安全努力不值得嘗試"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"以log4j2場景爲例,Web應用程序防火牆(WAF)等類似的網絡防禦方案雖然在短期內會有一定效果,但整體表現不佳而且工作量極爲巨大。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"網絡防禦成效捉急。大家可能都聽過網上流傳的段子,有人用Photoshop精心設計出一張看似正常、似藏玄機的車牌,識別系統一掃就會遭遇注射攻擊。這辦法絕了,因爲開發者知道車牌識別系統會嘗試解析和記錄一切通過計算機視覺捕捉到的內容,而且這部分注入數據壓根不用經過網絡層。同樣的,大多數應用程序也會有針對性地使用部分數據、解碼數據並記錄下各類細節。很明顯,任何網絡工具都沒辦法覆蓋到如此廣泛的攻擊面。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"監控並跟蹤攻擊者,第一時間屏蔽其IP同樣效果不佳。雖然有些組織會堅持維護一套潛在攻擊者清單,但AWS IP之所以被命名爲Elastic(彈性),正是因爲它們會定期更改。即使拉黑一個,對方要麼可以等自然解禁、要麼就是換個IP繼續攻擊。"}]}]}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"系統屬性與動態補丁:效果尚可"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"我們可以使用幾個系統屬性與補丁控制住log4j2的肆意活動。如果暫時無法更新庫或者依賴項,那這些就是最合理的過渡性安全問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"兩項Java系統屬性:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Dcom.sun.jndi.rmiobject.trustURLCodebase=false"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Dcom.sun.jndi.cosnaming.object.trustURLCodebase=false"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"將它們設置爲false即可阻止遠程加載。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"另有一個動態補丁能夠接入當前運行的JVM並執行修復。它的問題是,我們每次啓動JVM都需要再次運行此補丁。在一部分用例中這樣就夠了,只是肯定不如直接更新庫來得方便。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Java是如何處理日誌記錄的?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Java開發者通常會從多種日誌記錄系統和外觀中做出選擇。隨着社區的多年發展、合併和交融,各類日誌記錄框架往往已經能夠彼此協同運作:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/docs.oracle.com\/javase\/9\/docs\/api\/java\/lang\/System.html","title":null,"type":null},"content":[{"type":"text","text":"System Logger"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" (2017年,推薦)在JDK 9中被首次引入。它改進了JDK Logger的API,並提供類似於SLF4j的外觀,能夠將JDK日誌重新定向至應用程序團隊指定的記錄器處。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"JDK Logger (2004年)於Java 1.4版本中被引入。它特別常見,只是API顯得有點陳舊了。雖然也能用,但不像其他日誌記錄框架那麼靈便。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/logging.apache.org\/log4j\/2.x\/","title":null,"type":null},"content":[{"type":"text","text":"Log4j與Log4j2"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" 屬於社區開發的記錄器。它們改進了API,讓團隊能夠輕鬆控制需要記錄的內容、檢索特定數據何時出現在哪些層級。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"http:\/\/logback.qos.ch\/","title":null,"type":null},"content":[{"type":"text","text":"Logback"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" 與 "},{"type":"link","attrs":{"href":"http:\/\/www.slf4j.org\/","title":null,"type":null},"content":[{"type":"text","text":"SLF4j"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" 也是兩款頗具人氣的記錄器。SLF4J屬於一套相對簡單的日誌記錄外觀,可幫助團隊管理其他多種記錄器——庫維護人員將直接登錄到SLF4J,之後再由應用程序開發人員具體配置要使用哪些底層記錄器提供統一的輸出結果。除了高質量AIP之外,二者還最大限度減少了我們需要面對的依賴項。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/docs.jboss.org\/process-guide\/en\/html\/logging.html","title":null,"type":null},"content":[{"type":"text","text":"JBoss Logger"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]},{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" 是JBoss生態系統中的另一款流行記錄器,運行狀態穩定且速度很快。它現在已經能夠支持Quarkus等多種其他日誌記錄框架。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"Apache Commons-Logging(2002年)的歷史比JDK Logger更長,也啓發了後來諸多API。它的最後一個版本發佈於2014年,之後隨着從單一項目向跨項目API的用戶趨勢變化而沒落。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"2022年最推薦的Logger方案"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"對於依賴項較少、發佈時間不長的新興項目,這裏建議大家優先考慮System Logger。對於包含大量依賴項的項目,我們則建議繼續遵循大部分依賴項的對接的既有記錄器、或者使用統一的日誌記錄外觀(門面)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"如果你之前並沒有使用任何記錄器,則可以把System Logger當成是具有良好API的JDK Logger來使用。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":"參考鏈接:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/www.infoworld.com\/article\/3644492\/how-to-detect-the-log4j-vulnerability-in-your-applications.html","title":null,"type":null},"content":[{"type":"text","text":"https:\/\/www.infoworld.com\/article\/3644492\/how-to-detect-the-log4j-vulnerability-in-your-applications.html"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/foojay.io\/today\/log4j-isnt-killing-java\/","title":null,"type":null},"content":[{"type":"text","text":"https:\/\/foojay.io\/today\/log4j-isnt-killing-java\/"}],"marks":[{"type":"color","attrs":{"color":"#494949","name":"user"}}]}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章