The two ends of the students, we stand on each other’s shores
On April 18th, Apache Log4j was exposed to a deserialization vulnerability (CVE-2017-5645) that could be triggered by an attacker by sending a specially crafted binary payload to deserialize the bytes into objects. And execute the constructed payload code.
The vulnerability is mainly due to the fact that the receiver does not filter input from unreliable sources when processing ObjectInputStream. This vulnerability can be effectively solved by adding configurable filtering capabilities and related settings to TcpSocketServer and UdpSocketServer. At present, the official version of Log4j has released a new version to fix the vulnerability. The patch reference download address: http://download.nextag.com/apache/logging/log4j/2.8.2/
Apache Log4j 2.8.2
Users using Java 7+ should immediately upgrade to version 2.8.2 or avoid using socket server related classes.
Users using Java 6 should avoid using TCP or UDP socket server related classes. Users can also manually add the relevant code of the 2.8.2 version update to resolve the vulnerability.
Reference link: https://git-wip-us.apache.org/repos/asf?p=logging-log4j2.git;h=5dcc192