DD is hitting the nuggets, if ever I share to help you, you can come and vote for me. The prizes will be given to the participants. Click to participate if you are interested
This morning, did not get up, picked up the mobile phone impressively saw a headline information, the title really let me psychological deng once!
Get out of bed and head to the website to find out what the problem is. How much did it collapse?
It was released on December 16th, and it has been a few days since then. It is not a problem, is it?
Take a closer look at the major bug fixes in this release: CVE-2021-42550
I went on to look up the following information about the vulnerability:
This vulnerability affects versions below 1.2.9 and allows an attacker to edit the logback configuration file to create a malicious configuration that allows arbitrary code loaded from the LDAP server to be executed!
Does the description seem pretty serious? It’s not as bad as I thought. As can be seen from the figure above, the severity of this vulnerability is only MEDIUM.
In case of panic, the official press release also highlighted that this vulnerability is of a different severity level from log4Shell, because logback requires that the attacker have permission to write logback configuration files.
Of course, if you are concerned about system-level security and are still insecure about the security of your application, you can also choose to upgrade the version of LogBack to harden your defenses against this potential problem.
Since there are many Spring Boot users on DD side, we look at the relationship between Spring Boot version and Logback version. Except for 2.6.2 and 2.5.8, which have just been released and use 1.2.9, previous versions are all affected. If you are learning the Spring Boot, then recommend a serial years continues to update free tutorial: blog.didispace.com/spring-boot…
So, 2.6.x and 2.5.x users can just upgrade the minor version. For earlier versions, add logback.version to properties as follows:
In addition to upgrading the version, users are advised to set the logBack configuration file to read-only permission.
Finally, don’t panic too much, take your time, this is not as serious as log4j2!
The last last! DD is hitting the nuggets, if ever I share to help you, you can come and vote for me. The prizes will be given to the participants. Click to participate if you are interested
This article was first published on my public account: Program Ape DD. Focus on sharing the latest industry news and cutting-edge technology information, pay attention to my first time to accumulate the latest frontier, accumulate the capital of technical people to overtake cars in curves.