background
Following the official release of 2.15.0 the day before yesterday, the Apache Log4j 2 team has announced the release of log4j 2.16.0!
Log4j is now releasing two versions of the SLF4J to Log4j adapter due to a break in SLF4J adaptation compatibility. Log4j-slf4j-impl corresponds to slf4j 1.7.x and earlier; Log4j-slf4j18-impl is used with SLF4J 1.8.x and later. Slf4j-2.0.0 alpha is not yet fully supported.
Upgrade 2.16.0 is highly recommended.
Correct mistakes
Log4j2-3208: DISABLES JNDI by default. Log4j2. enableJndi needs to be set to true to allow JNDI. Using JNDI in an unprotected context, whether in Log4j2 or any other Java class library that uses JNDI, poses a significant problem security risk.
Log4j2-3211: Remove Message Lookups support completely. The purpose is to take enhanced measures to prevent CVE-2021-44228, which are not necessary to repair CVE-2021-44228.
Apache projects affected by the vulnerability
In addition, the Apache security team today announced the Apache project affected by Log4j CVE-2021-44228. You can check according to the following list:
| project | Whether affected | The solution |
|---|---|---|
| Apache Archiva | is | 2.2.6 The official release will address this issue |
| Apache Druid | is | Updated to 0.22.1 |
| Apache EventMesh | is | There is no clear plan at present |
| Apache lceberg | no | |
| Apache Flink | is | There is no clear plan at present |
| Apache Fortress | is | Updated to 2.0.7 |
| Apache Geode | is | Update to 1.12.6 1.13.5 1.14.1 |
| Apache Guacamole | no | |
| Apache Hadoop | no | The use of log4j 1. X |
| Apache Hive | is | There is no clear plan at present |
| Apache Jena | is | There is no clear plan at present |
| Apache JMeter | is | There is no clear plan at present |
| Apache JSPWiki | is | There is no clear plan at present |
| Apache Log4J1. 2 | There are similar vulnerabilities | Refer to “CVE-2021-4104” vulnerability,JMS calls JNDI north hole |
| Apache Log4J2.x | is | Updated to 2.16.0 |
| Apache Log4Net | no | |
| Apache OFBiz | is | Updated to 18.12.03 |
| Apache Ozone | is | Updated to 1.2.1 |
| Apache skyWalking | is | Updated to 8.9.1 |
| Apache Solr | is | Updated to 8.11.1 |
| Apache Spark | no | The use of log4j 1. X |
| Apache Struts | is | There is no clear plan at present |
| Apache Tomcat | no | |
| Apache TrafficControl | is | There is no clear plan at present |
| Apache ZooKeeper | no | The use of log4j 1. X |
| Apache Calcite Avatica | is | Updated to 1.20.0 |
| Apache CloudStack | no |
Prior to version 2.15.0, Log4j automatically resolved Lookups in messages or parameters contained in Pattern layouts. This behavior is no longer the default and must be enabled by specifying % MSG {lookup}. Apache Log4j 2.16.0 requires at least Java 8 to build and run. Log4j 2.12.1 is the last release to support Java 7. Java 7 is not a long-term support release for the Log4j team.
Upgrading measures
I urgently serialized a fix for this vulnerability a few days ago: Apache Log4j Arbitrary Code Execution Vulnerability Security Risk Upgrade Fix tutorial, this method is still valid.
If you’re too lazy to read the previous article, you can add the following dependencies by upgrading the JAR package directly:
<properties>
<java.version>1.8</java.version>
<log4j2.version>2.16. 0</log4j2.version>
</properties>
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>${log4j2.version}</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>${log4j2.version}</version>
</dependency>
</dependencies>
Copy the codeIf you have a SpringBoot project, just change the version number:
<properties>
<java.version>1.8</java.version>
<log4j2.version>2.16. 0</log4j2.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-log4j2</artifactId>
</dependency>
</dependencies>
Copy the codeThe resources
For complete information about Apache Log4j2, including information on how to submit bug reports, patches, or suggestions for improvements, see the Apache Apache Log4j2 website:
logging.apache.org/log4j/2.x/
Event timeline
[2021/12/14] The Apache Log4j 2 team announced the release of Log4j 2.16.0
[2021/12/13] Official release This issue is official release 2.15.0, Java log library Log4j2 injection vulnerability reappears
[2021/12/11] Spring Boot Official Guide for Dealing with Log4j2 Injection Vulnerability
[2021/12/10] A serious 0 day vulnerability is exposed in the well-known Java log component Log4j2
This article is “Tom play structure” original, reproduced please indicate the source. Technology is to share, I share my happiness! If you have any suggestions can also leave a comment or private letter, your support is my motivation to adhere to the creation. Pay attention to “Tom bomb architecture” for more technical dry goods!
Original is not easy, adhere to very cool, see here, small partners remember to like, collect, look, one key three even add attention! If you feel the content is too dry, you can share and forward to a friend moist moist!