Apache Log4j Deserialization Vulnerability (CVE-2017-5645)

The two ends of the students, we stand on each other’s shores

On April 18th, Apache Log4j was exposed to a deserialization vulnerability (CVE-2017-5645) that could be triggered by an attacker by sending a specially crafted binary payload to deserialize the bytes into objects. And execute the constructed payload code.

Vulnerability Trigger Point

The vulnerability is mainly due to the fact that the receiver does not filter input from unreliable sources when processing ObjectInputStream. This vulnerability can be effectively solved by adding configurable filtering capabilities and related settings to TcpSocketServer and UdpSocketServer. At present, the official version of Log4j has released a new version to fix the vulnerability. The patch reference download address: http://download.nextag.com/apache/logging/log4j/2.8.2/

Sphere of influence

Affected version

Unaffected version

Apache Log4j 2.8.2

Little

No

Proposal

Users using Java 7+ should immediately upgrade to version 2.8.2 or avoid using socket server related classes.
Reference link:
https://issues.apache.org/jira/browse/LOG4J2/fixforversion/12339750/?spm=5176.bbsr313258.0.0.sd9F87&selectedTab=com.atlassian.jira.jira-projects-plugin:version-summary-panel
Users using Java 6 should avoid using TCP or UDP socket server related classes. Users can also manually add the relevant code of the 2.8.2 version update to resolve the vulnerability.
Reference link: https://git-wip-us.apache.org/repos/asf?p=logging-log4j2.git;h=5dcc192

Article reference: http://toutiao.secjia.com/apache-log4j-deserialization-vulnerabilities-cve-2017-5645

本文标题:Apache Log4j Deserialization Vulnerability (CVE-2017-5645)

文章作者:nmask

发布时间:2017年04月19日 - 19:04

最后更新:2019年08月16日 - 15:08

原始链接:https://thief.one/2017/04/19/02/en/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

nmask wechat
欢迎您扫一扫上面的微信公众号,订阅我的博客!
坚持原创技术分享,您的支持将鼓励我继续创作!

热门文章推荐: