昨天早上收到安全部门的通知,Log4j又双叒叕要升级了。


升级版本

立马升级到最新版本:Log4j 2.17.0


最新 Maven 依赖:

<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.0</version>
</dependency>

安全部门通知Log4j又双叒叕要升级了_解决方案

之前升级Log4j 2.16.0 时,已经肝了两天,把所有线上的服务器都测试和发布完成,已经此事就就此终结了,想不到过了这么几天,又爆雷了,又要开始肝了:

安全部门通知Log4j又双叒叕要升级了_解决方案_02


重点

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect 
from uncontrolled recursion from self-referential lookups. When
the logging configuration uses a non-default Pattern Layout with
a Context Lookup (for example, $${ctx:loginId}), attackers with
control over Thread Context Map (MDC) input data can craft malicious
input data that contains a recursive lookup, resulting in a
StackOverflowError that will terminate the process. This is also
known as a DOS (Denial of Service) attack.

详情查看官网:​https://logging.apache.org/log4j/2.x/

Log4j2漏洞的来龙去脉参考:从Log4j2原理、攻击和解决方案来聊聊这次全球性的Log4j2漏洞

- END -