Shulou(Shulou.com)05/31 Report--

This article mainly shows you "Apache Log4j 2.17.0 can solve what problems", the content is easy to understand, clear, hope to help you solve doubts, the following let the editor lead you to study and learn "Apache Log4j 2.17.0 can solve what problems" this article.

Apache Log4j version 2.17.0 has been officially released, which addresses the third security vulnerability found, CVE-2021-45105.

Apache Log4j2 versions of 2.0-alpha1 to 2.16.0 do not prevent uncontrolled recursion of self-referential lookups. When logging configuration uses non-default Pattern Layout and Context Lookup (for example, $${ctx:loginId}), attackers who control thread context mapping (MDC) input data can create malicious input data that contains recursive lookups, resulting in StackOverflowError, which terminates the process. This is also known as a DoS attack.

Starting with version 2.17.0 (for Java 8), only the lookup strings in the configuration are recursively extended; in any other use, only top-level lookups are resolved and no nested lookups are resolved.

In previous versions, you can alleviate this problem by ensuring that your logging configuration does the following:

In the PatternLayout configured for logging, replace Context Lookups such as ${ctx:loginId} or ${ctx:loginId} with Thread Context Map mode (% X,% mdc, or% MDC).

Otherwise, remove references to Context Lookups such as ${ctx:loginId} or ${ctx:loginId} from the configuration; they are derived from sources external to the application, such as HTTP headers or user input.

The specific updates of version 2.17.0 include:

Fix string replacement recursion. Repair LOG4J2-3230

Limit JNDI to the java protocol. By default, JNDI remains disabled. Rename the JNDI enable property from "log4j2.enableJndi" to "log4j2.enableJndiLookup", "log4j2.enableJndiJms", and "log4j2.enableJndiContextSelector". Repair LOG4J2-3242

JNDI is limited to the java protocol. By default, JNDI remains disabled. Enable property has been renamed to "log4j2.enableJndiJava". Repair LOG4J2-3242

Do not declare log4j-api-java9 and log4j-core-java9 as dependencies, as this can cause problems with the Maven enforcer plug-in. Repair LOG4J2-3241

PropertiesConfiguration.parseAppenderFilters NPE when parsing the properties file filter. Repair LOG4J2-3247

Log4j 1.2 bridge for Syslog Appender defaults to port 512 instead of 514. Repair LOG4J2-3249

Log4j 1.2 bridge API hardcodes the Syslog protocol as TCP. Repair LOG4J2-3237

These are all the contents of this article entitled "what problems can Apache Log4j 2.17.0 solve?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.