log4j2漏洞升级

一、影响范围:

Apache Log4j 2.x <= 2.15.0-rc1

二、可能受影响的应用不限于以下内容:

Spring-Boot-strater-log4j2

Apache Struts2

Apache Solr

Apache Druid

Apache Flink

ElasticSearch

Flume

Dubbo

Jedis

Logstash

Kafka

Apache Storm

三、解决办法:

1、等待官方升级 log4j2 版本。

2、自己升级 log4j2 版本至 >= 2.15.0,目前最新 2.16.0

四、部分组件实施步骤:

1、logstash

1.1、从 官网 下载新版 6.8.21 or 7.16.1,修复此问题。

1.2、自己升级  log4j2 版本

查找漏洞包

find / -name "log4j-api*.jar"
find / -name "log4j-api*.jar"

根据包名替换为下载的新包

[logstash核心类库更新]
mv /opt/logstash/logstash-core/lib/jars/log4j-api-2.9.1.jar /opt/logstash/logstash-core/lib/jars/log4j-api-2.9.1.jar.bak
mv /opt/logstash/logstash-core/lib/jars/log4j-core-2.9.1.jar /opt/logstash/logstash-core/lib/jars/log4j-core-2.9.1.jar.bak
mv /opt/logstash/logstash-core/lib/jars/log4j-slf4j-impl-2.9.1.jar /opt/logstash/logstash-core/lib/jars/log4j-slf4j-impl-2.9.1.jar.bak
cp /home/log4j/log4j-api-2.15.0.jar /opt/logstash/logstash-core/lib/jars/
cp /home/log4j/log4j-core-2.15.0.jar /opt/logstash/logstash-core/lib/jars/
cp /home/log4j/log4j-slf4j-impl-2.15.0.jar /opt/logstash/logstash-core/lib/jars/


[logstash插件更新]
-- logstash-input-kafka-8.0.6 修改运行类库
mv /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-kafka-8.0.6/vendor/jar-dependencies/runtime-jars/log4j-api-2.8.2.jar /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-kafka-8.0.6/vendor/jar-dependencies/runtime-jars/log4j-api-2.8.2.jar.bak
mv /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-kafka-8.0.6/vendor/jar-dependencies/runtime-jars/log4j-slf4j-impl-2.8.2.jar /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-kafka-8.0.6/vendor/jar-dependencies/runtime-jars/log4j-slf4j-impl-2.8.2.jar.bak
cp /home/log4j/log4j-api-2.15.0.jar /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-kafka-8.0.6/vendor/jar-dependencies/runtime-jars/
cp /home/log4j/log4j-slf4j-impl-2.15.0.jar /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-kafka-8.0.6/vendor/jar-dependencies/runtime-jars/

-- logstash-input-kafka-8.0.6 修改依赖
mv /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-kafka-8.0.6/lib/org/apache/logging/log4j/log4j-api/2.8.2/log4j-api-2.8.2.jar /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-kafka-8.0.6/lib/org/apache/logging/log4j/log4j-api/2.8.2/log4j-api-2.8.2.jar.bak

-- logstash-input-beats-5.0.13-java 修改依赖(需要修改rb)
mv /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-beats-5.0.13-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.6.2/log4j-api-2.6.2.jar /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-beats-5.0.13-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.6.2/log4j-api-2.6.2.jar.bak
mkdir -p /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-beats-5.0.13-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.15.0/
cp /home/log4j/log4j-api-2.15.0.jar /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-beats-5.0.13-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.15.0/
vim /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-beats-5.0.13-java/lib/logstash-input-beats_jars.rb
[log4j-api 2.6.2 版本改为 2.15.0]

-- logstash-output-kafka-7.0.10 修改运行类库
mv /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-kafka-7.0.10/vendor/jar-dependencies/runtime-jars/log4j-1.2-api-2.6.2.jar /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-kafka-7.0.10/vendor/jar-dependencies/runtime-jars/log4j-1.2-api-2.6.2.jar.bak
mv /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-kafka-7.0.10/vendor/jar-dependencies/runtime-jars/log4j-api-2.6.2.jar /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-kafka-7.0.10/vendor/jar-dependencies/runtime-jars/log4j-api-2.6.2.jar.bak
mv /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-kafka-7.0.10/vendor/jar-dependencies/runtime-jars/log4j-core-2.6.2.jar /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-kafka-7.0.10/vendor/jar-dependencies/runtime-jars/log4j-core-2.6.2.jar.bak
cp /home/log4j/log4j-1.2-api-2.15.0.jar /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-kafka-7.0.10/vendor/jar-dependencies/runtime-jars/
cp /home/log4j/log4j-api-2.15.0.jar /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-kafka-7.0.10/vendor/jar-dependencies/runtime-jars/
cp /home/log4j/log4j-core-2.15.0.jar /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-kafka-7.0.10/vendor/jar-dependencies/runtime-jars/

-- logstash-output-kafka-7.0.10 修改依赖
mv /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-kafka-7.0.10/lib/org/apache/logging/log4j/log4j-api/2.6.2/log4j-api-2.6.2.jar /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-kafka-7.0.10/lib/org/apache/logging/log4j/log4j-api/2.6.2/log4j-api-2.6.2.jar.bak
mv /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-kafka-7.0.10/lib/org/apache/logging/log4j/log4j-core/2.6.2/log4j-core-2.6.2.jar /opt/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-kafka-7.0.10/lib/org/apache/logging/log4j/log4j-core/2.6.2/log4j-core-2.6.2.jar.bak

说明:

(1) 对于依赖类库,如果类库文件有被插件使用,则需要修改 [plugin-name]/lib/*.rb 文件,只需查看 rb 文件则可知道是否有被使用。

log4j2漏洞升级_第1张图片

 (2)修改时,出了需要查找 log4j-core、log4j-api 文件,还需关注目录下是否存在相关版本的其他 log4j 包,如 log4j-slf4j-impl、log4j-1.2-api 等,如果版本号相同,也都要替换。

2、storm

[停止 storm Topology]

mv $storm/lib/log4j-api-2.8.2.jar $storm/lib/log4j-api-2.8.2.jar.bak

mv $storm/lib/log4j-core-2.8.2.jar $storm/lib/log4j-core-2.8.2.jar.bak

mv $storm/lib/log4j-slf4j-impl-2.8.2.jar $storm/lib/log4j-slf4j-impl-2.8.2.jar.bak

cp /home/log4j/log4j-api-2.15.0.jar $storm/lib/

cp /home/log4j/log4j-core-2.15.0.jar $storm/lib/

cp /home/log4j/log4j-slf4j-impl-2.15.0.jar $storm/lib/

重启 storm server

[提交 storm Topology]

说明:

(1)对于低版本 storm,如 v1.1.1,启动 nibus 时,会出现如下异常:

Exception in thread "main" java.lang.NoSuchMethodError: com.lmax.disruptor.dsl.Disruptor.(Lcom/lmax/disruptor/EventFactory;ILjava/util/concurrent/ThreadFactory;Lcom/lmax/disruptor/dsl/ProducerType;Lcom/lmax/disruptor/WaitStrategy;)V
 at org.apache.logging.log4j.core.async.AsyncLoggerDisruptor.start(AsyncLoggerDisruptor.java:108)
 at org.apache.logging.log4j.core.async.AsyncLoggerContext.start(AsyncLoggerContext.java:75)
 at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:155)
 at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:47)
 at org.apache.logging.log4j.LogManager.getContext(LogManager.java:196)

对于这种问题,还需升级 disruptor 包

mv $storm/lib/disruptor-3.3.2.jar $storm/lib/disruptor-3.3.2.jar.bak

cp /home/logstash $storm/lib/

3、elasticsearch

mv $elasticsearch_home/lib/log4j-api-2.11.1.jar $elasticsearch_home/lib/log4j-api-2.11.1.jar.bak
mv $elasticsearch_home/lib/log4j-core-2.11.1.jar $elasticsearch_home/lib/log4j-core-2.11.1.jar.bak
cp /home/log4j/log4j-api-2.15.0.jar $elasticsearch_home/lib/
cp /home/log4j/log4j-core-2.15.0.jar $elasticsearch_home/lib/

mv $elasticsearch_home/modules/x-pack-core/log4j-1.2-api-2.11.1.jar $elasticsearch_home/modules/x-pack-core/log4j-1.2-api-2.11.1.jar.bak

mv $elasticsearch_home/modules/x-pack-security/log4j-slf4j-impl-2.11.1.jar $elasticsearch_home/modules/x-pack-security/log4j-slf4j-impl-2.11.1.jar.bak

cp /home/log4j/log4j-1.2-api-2.15.0.jar $elasticsearch_home/modules/x-pack-core/

cp /home/log4j/log4j-slf4j-impl-2.15.0.jar $elasticsearch_home/modules/x-pack-security/

[停止 sink es 业务]

[重启 es server]

[启动 sink es 业务]

其他组件升级,后续更新...

你可能感兴趣的:(漏洞升级,log4j2,漏洞更新)