[Spring Boot] 스프링 부트 Log4J2 취약점 조치 (CVE-2021-45105)

추가 업데이트(CVE-2021-44832)

Apache Log4j 2에서 발생하는 원격코드 실행 취약점 (CVE-2021-44832) 발견되었습니다. 

2.17.1 버전으로 업데이트해야 합니다. 아래의 링크를 확인해주세요.

https://veneas.tistory.com/entry/Spring-Boot-%EC%8A%A4%ED%94%84%EB%A7%81-%EB%B6%80%ED%8A%B8-Log4J2-%EC%B7%A8%EC%95%BD%EC%A0%90-%EC%A1%B0%EC%B9%98-CVE-2021-44832

0. 조치 환경

• Spring Boot 2.5.6 (Gradle Project)
• JDK 11(Java 11)
• IntelliJ

1. 취약점 내용

• 이전 취약점들을 조치한 Logj4 2.16.0 버전에서 JNDI Lookup pattern 문제 발생
• It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments; remote code execution has been demonstrated on macOS but no other tested environments.
• https://logging.apache.org/log4j/2.x/security.html

2. 조치 방안

• Logj4 2.17.0 버전으로 업데이트 합니다.

3. Log4j2 버전 업데이트

[Gradle]

dependencies {
	implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.17.0'
	implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.17.0'
	implementation group: 'org.apache.logging.log4j', name: 'log4j-jul', version: '2.17.0'
	implementation group: 'org.apache.logging.log4j', name: 'log4j-slf4j-impl', version: '2.17.0'
	implementation group: 'org.slf4j', name: 'slf4j-api', version: '1.7.32'
	implementation group: 'org.slf4j', name: 'jul-to-slf4j', version: '1.7.32'
}

 

[Maven]

<dependencies>
  <dependency>
      <groupId>org.apache.logging.log4j</groupId>
      <artifactId>log4j-api</artifactId>
      <version>2.17.0</version>
  </dependency>
  <dependency>
      <groupId>org.apache.logging.log4j</groupId>
      <artifactId>log4j-core</artifactId>
      <version>2.17.0</version>
  </dependency>
  <dependency>
      <groupId>org.apache.logging.log4j</groupId>
      <artifactId>log4j-jul</artifactId>
      <version>2.17.0</version>
  </dependency>
  <dependency>
      <groupId>org.apache.logging.log4j</groupId>
      <artifactId>log4j-slf4j-impl</artifactId>
      <version>2.17.0</version>
      <scope>test</scope>
  </dependency>
  <dependency>
      <groupId>org.slf4j</groupId>
      <artifactId>slf4j-api</artifactId>
      <version>1.7.32</version>
  </dependency>
  <dependency>
      <groupId>org.slf4j</groupId>
      <artifactId>jul-to-slf4j</artifactId>
      <version>1.7.32</version>
  </dependency>
</dependencies