Lucene search

K
myhack58佚名MYHACK58:62201785395
HistoryApr 19, 2017 - 12:00 a.m.

Apache logging component Log4j deserialization vulnerability affects all 2. x version-bug warning-the black bar safety net

2017-04-1900:00:00
佚名
www.myhack58.com
284

EPSS

0.874

Percentile

98.7%

! [](/Article/UploadPic/2017-4/2017419102637370. png)

Open source stuff with more people, natural vulnerability. Apache for logging component Log4j to use the very flexible, in quite a lot of open source projects are using this exploit affects all Apache Log4j 2.* Series version: Apache Log4j 2.0-alpha1 – Apache Log4j 2.8.1 using Java 7+users should immediately upgrade to 2. 8. 2 Version. Nsfocus released a security threat announcement, the announcement of full text is as follows.

Apache Log4j is what

Log4j is the Apache an open source project, through the use of Log4j, we can control the log information delivery destination is the console, file, GUI components, even socket servers, NT Event logger, UNIX Syslog daemon, etc.; we can also control each section of the log output format; by defining each of the log information level, we can more carefully control the log generation process. The most interesting is that these can be through a configuration file to flexibly configure, without the need to modify the application code.

Nsfocus the Apache Log4j deserialization vulnerability to security threats notice

The notice reads as follows

Beijing Time 18 days morning, Apache Log4j was traced to the presence of a deserialization Vulnerability(CVE-2017-5645)。 An attacker can send a specially produced 2-ary payload, in the Assembly of bytes to deserialize the object, the trigger and perform the configuration of the payload code. The vulnerability is mainly due to the processing ObjectInputStream, the receiver for the unreliable source of the input is not filtered. Can By to TcpSocketServer and UdpSocketServer add a configurable filtering function as well as some related settings, can effectively solve the vulnerability. Currently the Log4j official has released the new version fixes the vulnerability.

The relevant address:

<http://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2017-5645&gt;

<https://issues.apache.org/jira/browse/LOG4J2-1863&gt;

<http://seclists.org/oss-sec/2017/q2/78&gt;

The scope of the impact

The affected version

All the Apache Log4j 2.* Series version: Apache Log4j 2.0-alpha1 – Apache Log4j 2.8.1

Not affected versions: Apache Log4j 2.8.2

To circumvent the scheme

Using Java 7+users should immediately upgrade to 2. 8. 2 version or avoid using the socket server of the relevant class. Reference link:

<https://issues.apache.org/jira/browse/LOG4J2/fixforversion/12339750/?selectedTab=com.atlassian.jira.jira-projects-plugin:version-summary-panel&gt;

Use Java 6 users should avoid the use of TCP or UDP socket server related classes, the user can also manually add 2. 8. 2 updated version of the relevant code to fix the vulnerability.