Flink and other components are affected, and Apache Log4j exposes epic vulnerabilities

created at 12-11-2021 views: 4

Apache Log4j bug

The world-renowned open source logging component Apache Log4j has been exposed to a serious high-risk remote code execution vulnerability. Attackers can use this vulnerability to execute malicious code remotely. According to Alibaba Cloud's report, some functions of Apache Log4j2 have recursive analysis functions. Attackers can directly construct malicious requests to trigger remote code execution vulnerabilities.

The vulnerability was exposed online by users of the game platform Minecraft on December 7. It is said that hackers can manipulate log messages (or even type content in chat messages), and can also execute malicious code on the Minecraft server. Apache log4j officially released the 2.15.0-rc1 version on the 7th to fix the vulnerabilities. Subsequently, security vendors such as Alibaba Cloud, Douxiang Technology, NSFOCUS, Mo'an Technology, and Qi'anxin issued hazard notifications.

The current vulnerability is mainly affected by the version of Apache Log4j 2.x <= log4j-2.15.0-rc1. When a user uses Apache Log4j2 to process logs, the vulnerability will perform special processing on the content entered by the user. Then you can construct a special request in Apache Log4j2 to trigger remote code execution.

Log4j2

How to determine whether you are affected

How to determine whether it is affected, developers only need to check whether the two jar files log4j-api and log4j-core are introduced in the Java application. If they exist, it is recommended to conduct security investigations and take protective measures immediately. The currently affected components are:

  • Spring-Boot-strater-log4j2
  • Apache Solr
  • Apache Flink
  • Apache Druid

This means that a large number of third-party applications may also be infected and threatened.

How to fix:

Upgrade all related applications of Apache Log4j 2 to the latest log4j-2.15.0-rc2 version as soon as possible, address: https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0 -rc2

If you cannot update the version as soon as possible, you can use the following methods to urgently alleviate:

  1. Modify jvm parameters: -Dlog4j2.formatMsgNoLookups=true
  2. Modify the configuration: log4j2.formatMsgNoLookups=True
  3. system environment variables

set FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS   to true

created at:12-11-2021
edited at: 12-11-2021: