Apache Log4j version 2.17.0 has been officially released, solving the third discovered security vulnerability, CVE-2021-45105.
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 do not prevent uncontrolled recursion of self-referential lookups. When the log configuration uses a non-default Pattern Layout and Context Lookup (for example, $${ctx:loginId}), an attacker who controls the thread context map (MDC) input data can craft malicious input data containing recursive lookups, causing a StackOverflowError. Thereby terminating the process. This is also called a DoS attack. [Recommended:Apache Usage Tutorial]
Starting from version 2.17.0 (for Java 8), only the search string in the configuration will be recursively expanded; in any other usage, Only top-level lookups are parsed, not any nested lookups.
In previous versions, this issue could be mitigated by ensuring that your logging configuration did the following:
In the logging configuration In the PatternLayout, replace Context Lookups such as ${ctx:loginId} or $${ctx:loginId} with the Thread Context Map pattern (%X, %mdc or %MDC).
Otherwise, remove references to Context Lookups such as ${ctx:loginId} or ${ctx:loginId} in the configuration; they originate from sources outside the application, such as HTTP headers or user input..
The specific updates of version 2.17.0 include:
Fixed string replacement recursion. Fix LOG4J2-3230
Restrict JNDI to java protocol only. By default, JNDI will remain disabled. Renamed JNDI enable properties from "log4j2.enableJndi" to "log4j2.enableJndiLookup", "log4j2.enableJndiJms", and "log4j2.enableJndiContextSelector". Fix LOG4J2-3242
JNDI is limited to java protocol. By default, JNDI will remain disabled. The enable property has been renamed to "log4j2.enableJndiJava". Fix LOG4J2-3242
Do not declare log4j-api-java9 and log4j-core-java9 as dependencies as this will cause problems with the Maven enforcer plugin. Fix LOG4J2-3241
PropertiesConfiguration.parseAppenderFilters NPE when parsing properties file filters. Fix LOG4J2-3247
#Syslog Appender's Log4j 1.2 bridge defaults to port 512 instead of 514. Fix LOG4J2-3249
Log4j 1.2 bridge API hardcodes Syslog protocol to TCP. Fix LOG4J2-3237
The above is the detailed content of Apache Log4j 2.17.0 has been released! See what problem was solved?. For more information, please follow other related articles on the PHP Chinese website!