Shulou(Shulou.com)06/01 Report--

This article will explain in detail the example analysis of the fatal loophole in log4j. The editor thinks it is very practical, so I share it for you as a reference. I hope you can get something after reading this article.

What is a journal?

When we learn to program, we turn on debug mode to debug the code, and we can see the status of each variable in the code. But in the actual production, there is no debug mode, we can only use the output of this variable to judge. In the beginning, the editor will not use the debug mode to judge the state of the code: print statements are used to output the variables. For the server, this method is not realistic (you can't send someone to keep an eye on the server all the time). It makes more sense to write the output to the text with the write time, so that a file can be generated every day, which is called the log.

What is a log management tool?

Use the simplest (simple idea) to write the file to write the log, there will be complex code, cluttered logs, log level is not clear, at this time the introduction of log management tools, many languages have log management tools, such as JavaScript's console.log () method, is a log write function (but it will be output in the console), java also has a logging tool for log management.

What is log4j and why do you use it?

Log4j is a better log management tool, logging is not so easy to use, and it will be more comfortable to use it with log4j.

Which projects will use log4j?

Log management tools are available everywhere, from desktop applications to web servers to Android app. Common applications that use log4j are as follows: most springboot web applications and most ssh,ssm frameworks integrate log4j (developers integrate them, not their own, but many developers choose log4j, which is why this vulnerability is so serious). Desktop applications like Minecraft also use log4j (so there are many cases of attacks through Minecraft, and are rising rapidly).

How to avoid this bug?

Upgrade log4j to the latest version. On the morning of December 10, the Aliyun security team issued another warning and found that there were vulnerabilities in the Apache Log4j 2.15.0-rc1 version. It is recommended to update to the Apache Log4j 2.15.0-rc2 version in a timely manner.

This is the end of the article on "example analysis of log4j lethal loopholes". I hope the above content can be helpful to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.