颤抖吧 Javaer， log4j 史诗级漏洞

目前还在用 jdk8 ，依赖 java 环境的程序不多，暂时停用了相关服务。

@cheng6563 slf4j 也受影响

java 养活了整个安全行业

log4j2 2.15.0-rc2 已经发布 https://github.com/apache/logging-log4j2/tree/rel/2.15.0

@sshang https://gluten.cool/journals

https://logging.apache.org/log4j/2.x/

News
CVE-2021-44228
The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.15.0.

Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution. Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects by default served on the local host.

One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. As of Log4j 2.15.0 this feature is now disabled by default. While an option has been provided to enable Lookups in this fashion, users are strongly discouraged from enabling it.

@chaigon slf4j 都不会解析${}这种日志有什么影响？

暂时修不了的，可以用这个临时打个热补丁 https://mp.weixin.qq.com/s/ClNpWamMn55BkholbUbo_g

想知道怎么彻底修复,临时的修复方案过不了安全扫描,客户不认😂