最近两天log4j框架出现重大漏洞。该漏洞会导致用户输入的日志中会访问服务器的相应信息,可能导致服务会被劫持。
版本:log4j2-2.15.0一下的版本都会有漏洞。因此需要升级到2.15.0的版本。
升级:以springBoot为主
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions><!-- 去掉springboot默认配置 -->
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency> <!-- 引入log4j2依赖 -->
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-log4j2</artifactId>
</dependency>
我们需要改成如下
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions><!-- 去掉springboot默认配置 -->
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency> <!-- 引入log4j2依赖 -->
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-log4j2</artifactId>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.15.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.15.0</version>
</dependency>
验证:
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class Test {
private static Logger logger= LoggerFactory.getLogger(Test.class);
public static void main(String[] args) {
logger.info("张三,{}","${java:hw}");
}
}
如果是有漏洞会出现:如下结果:
2021-12-15 14:52:23.183 [main] INFO com.zhm.util.Test - 张三,processors: 8, architecture: amd64-64, instruction sets: amd64
修复后的结果:
2021-12-15 14:51:32.754 [main] INFO com.zhm.util.Test - 张三,${java:hw}