相信许多订户都见过关于 Log4j 2 远程代码执行漏洞的新闻了。它的影响范围自 2.0-beta9 至 2.14.1 (以及 2.15.0 RC1 [1])。
请尽快更新至 2.15.0 RC2。实在无法更新的,可以升级 Java 至 8u121,或参考 [2] 的 workaround。Cloudflare WAF 用户也可部署文中提到的规则以处理此问题。对于其中两个动作为
CVSS: 10 (极其严重)
CVE: CVE-2021-44228
https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/
1. https://help.aliyun.com/noticelist/articleid/1060971232.html
2. https://github.com/tangxiaofeng7/apache-log4j-poc
seealso:
- https://logging.apache.org/log4j/2.x/security.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
#CVE #PSA #Log4j
请尽快更新至 2.15.0 RC2。实在无法更新的,可以升级 Java 至 8u121,或参考 [2] 的 workaround。Cloudflare WAF 用户也可部署文中提到的规则以处理此问题。对于其中两个动作为
LOG 的规则,在确定没有误杀后,请尽快切换动作至 BLOCK。CVSS: 10 (极其严重)
CVE: CVE-2021-44228
https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/
1. https://help.aliyun.com/noticelist/articleid/1060971232.html
2. https://github.com/tangxiaofeng7/apache-log4j-poc
seealso:
- https://logging.apache.org/log4j/2.x/security.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
#CVE #PSA #Log4j
The Cloudflare Blog
CVE-2021-44228 - Log4j RCE 0-day mitigation
A zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) was made public on December 9, 2021, that results in remote code execution (RCE). This vulnerability is actively being exploited and anyone using Log4j should update to version…
