SQL injection in JDBC Appender in Apache Log4j V1

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

N/A

SQL命令中使用的特殊元素转义处理不恰当(SQL注入)

Apache Log4j SQL注入漏洞

Apache Log4j是美国阿帕奇（Apache）基金会的一款基于Java的开源日志记录工具。 Apache Log4j 存在SQL注入漏洞，该漏洞源于 Log4j 1.2.x 中的 JDBCAppender 接受 SQL 语句作为配置参数，其中要插入的值是来自 PatternLayout 的转换器。 消息转换器 %m 可能总是包含在内。 这允许攻击者通过将精心制作的字符串输入到记录的应用程序的输入字段或标题中来操纵 SQL，从而允许执行意外的 SQL 查询。 请注意，此问题仅在专门配置为使用 JDBC

N/A

N/A