我查到的是
临时缓解措施:
1. 禁止没有必要的业务访问外网
2. 使用 jvm 参数启动 -Dlog4j2.formatMsgNoLookups=true
3. 设置 log4j2.formatMsgNoLookups=True
4. 系统环境变量中将 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 设置为 true
但是我测试 4 在 linux 下 export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true 好像不起作用,查看 log4j2 的代码里面
@
Deprecated public static final boolean FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS = PropertiesUtil.getProperties().getBooleanProperty("log4j2.formatMsgNoLookups", true);
似乎也只是变量名称。。。是我理解错了吗?
huage
2021-12-11 21:42:20 +08:00
Remediation Advice:
This issue was remediated in Log4J v2.15.0. The Apache Logging Services team provides the following mitigation advice:
In previous releases (>=2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 protects against RCE by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".
You can manually check for use of affected versions of Log4J by searching your project repository for Log4J use, which is often in a pom.xml file.
Where possible, upgrade to Log4J version 2.15.0. If you are using Log4J v1 there is a migration guide available.
Please note that Log4J v1 is End Of Life (EOL) and will not receive patches for this issue. Log4J v1 is also vulnerable to other RCE vectors and we recommend you migrate to Log4J 2.15.0 where possible.
If upgrading is not possible, then ensure the -Dlog4j2.formatMsgNoLookups=true system property is set on both client- and server-side components.
这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。
https://www.v2ex.com/t/821360
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.