Apache Log4j2 reports a nuclear-level vulnerability and a quick fix

Apache Log4j2 reported a nuclear-level vulnerability, and the stack leader’s circle of friends went wild. Many programmers stayed up until midnight to go online urgently. Did you sleep last night? ?

Apache Log4j2 is a Java-based logging tool and an upgrade of Log4j. It provides many optimizations available in Logback based on its predecessor Log4j 1.x, and fixes some problems in the Logback architecture. It is currently one of the best Java logging frameworks.

The triggering condition of this Apache Log4j2 vulnerability is that as long as the data entered by external users will be logged, remote code execution can be caused.

Affected versions

2.0 <= Apache log4j2 <= 2.14.1

Latest official patch

https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2

Temporary solution

1) Set jvm parameters:

-Dlog4j2.formatMsgNoLookups=true

2) Log settings:

log4j2.formatMsgNoLookups=True

3) Set system environment variables:

FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS = true

4) Close the corresponding application's external network connection and prohibit active external connections

Reference: https://github.com/apache/logging-log4j2

If you haven't upgraded yet, please check and repair it immediately to avoid any losses. .

Summary of additional information:

Vulnerability fix:

Apache has officially released a patch, and Tencent security experts recommend that affected users upgrade to a secure version as soon as possible.

Patch download address:
https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc1

Vulnerability Mitigation Measures:

(1) JVM parameter -Dlog4j2.formatMsgNoLookups=true

(2) log4j2.formatMsgNoLookups=True

That’s all about the breaking news! This is the end of the article on how to quickly fix the Apache Log4j2 nuclear-level vulnerability. For more information about the Apache Log4j2 nuclear-level vulnerability, please search 123WORDPRESS.COM's previous articles or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!