추가 업데이트(CVE-2021-44832)
Apache Log4j 2에서 발생하는 원격코드 실행 취약점 (CVE-2021-44832) 발견되었습니다.
2.17.1 버전으로 업데이트해야 합니다. 아래의 링크를 확인해주세요.
0. 조치 환경
- Spring Boot 2.5.6 (Gradle Project)
- JDK 11(Java 11)
- IntelliJ
1. 취약점 내용
- 이전 취약점들을 조치한 Logj4 2.16.0 버전에서 JNDI Lookup pattern 문제 발생
- It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments; remote code execution has been demonstrated on macOS but no other tested environments.
- https://logging.apache.org/log4j/2.x/security.html
2. 조치 방안
- Logj4 2.17.0 버전으로 업데이트 합니다.
3. Log4j2 버전 업데이트
[Gradle]
dependencies {
implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.17.0'
implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.17.0'
implementation group: 'org.apache.logging.log4j', name: 'log4j-jul', version: '2.17.0'
implementation group: 'org.apache.logging.log4j', name: 'log4j-slf4j-impl', version: '2.17.0'
implementation group: 'org.slf4j', name: 'slf4j-api', version: '1.7.32'
implementation group: 'org.slf4j', name: 'jul-to-slf4j', version: '1.7.32'
}
[Maven]
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.17.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-jul</artifactId>
<version>2.17.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.17.0</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.32</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jul-to-slf4j</artifactId>
<version>1.7.32</version>
</dependency>
</dependencies
'Backend > Spring' 카테고리의 다른 글
[Spring Boot] JWT (JSON Web Token) 토큰 기반 인증 (2) | 2022.01.02 |
---|---|
[Spring Boot] 스프링 부트 Log4J2 취약점 조치 (CVE-2021-44832) (0) | 2021.12.29 |
[Spring Boot] 스프링 부트 Logback 취약점 조치 (CVE-2021-42550) (0) | 2021.12.18 |
[Spring Boot] 스프링 부트 Log4J2 추가 취약점 조치 (CVE-2021-45046) (0) | 2021.12.15 |
[Spring Boot] 스프링 부트 Log4J2 취약점 조치 (Log4J2 버전 업데이트) (3) | 2021.12.13 |