Apache Logging Services-Log4j Vulnerability
What is Apache Log4j?
Log4j is an open source project for Apache. By using Log4j, we can control the log information delivery destination for the console, file, GUI component, and even the socket server, NT event logger, UNIX Syslog daemon, etc …; You can control the output format of each log; by defining the level of each log information, we can more carefully control the log generation process. The most interesting is that these can be configured through a configuration file to flexibly without having to modify the application code.
Apache Log4j Anti-serialization vulnerability
Apache Log4j was exposed to a deserialization vulnerability (CVE-2017-5645). An attacker can trigger and execute the constructed payload code by sending a specially crafted binary payload that deserializes the byte into an object. The vulnerability is mainly due to the handling of ObjectInputStream, the receiver for the unreliable source of the input is not filtered. You can solve the vulnerability by adding configurable filtering to TcpSocketServer and UdpSocketServer, as well as some related settings. Log4j has released a new version of the current fix the vulnerability.
Related address:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=%09CVE-2017-5645
https://issues.apache.org/jira/browse/LOG4J2-1863
http://seclists.org/oss-sec/2017/q2/78
Affected version
All Apache Log4j 2.* series version
How to fix
Users who use Java 7+ should immediately upgrade to version 2.8.2 or avoid using the socket class. Reference link:
Users using Java 6 should avoid using TCP or UDP socket server related classes, users can also manually add the 2.8.2 version of the updated code to solve the vulnerability.
Reference
https://git-wip-us.apache.org/repos/asf?p=logging-log4j2.git;h=5dcc192