支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: 9a8f907730199a8b04bacfda5aefa39b16dbdca9

来源
https://github.com/open-AIMS/log4j
关联漏洞
标题:Apache Log4j 代码问题漏洞 (CVE-2021-4104)
Description:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4j 1.2存在代码问题漏洞,攻击者可利用该漏洞通过JMSApender反序列化来运行代码。
Description
Log4j version 1.2.17 without the offending class responsible for CVE-2021-4104.
介绍
# Log4j version 1.2.17-aims

This jar was created to protect against **CVE-2021-4104**.

It is meant to be used as a direct replacement for Log4j v1 libraries.

Log4j 1.2 project page: https://logging.apache.org/log4j/1.2/

Apache 2.0 Licence: https://www.apache.org/licenses/LICENSE-2.0

## Usage

Add this to your `pom.xml`

```
<project ...>
    <repositories>
        <!-- Open AIMS maven repository on GitHub -->
        <repository>
            <id>github_openaims</id>
            <name>GitHub Open-AIMS repo</name>
            <url>https://maven.pkg.github.com/open-AIMS/*</url>
        </repository>
    </repositories>

    ...

    <dependencies>
        <dependency>
            <groupId>au.gov.aims</groupId>
            <artifactId>log4j</artifactId>
            <version>1.2.17-aims</version>
        </dependency>

        ...
    </dependencies>
</project>
```

If one of the dependencies uses another version of log4j,
exclude it with the exclusions group in the dependency
declaration.

Example:
```
<project ...>
    ...

    <dependencies>
        <dependency>
            <groupId>au.gov.aims</groupId>
            <artifactId>log4j</artifactId>
            <version>1.2.17-aims</version>
        </dependency>

        <dependency>
            <groupId>uk.ac.rdg.resc</groupId>
            <artifactId>edal-xml-catalogue</artifactId>
            <version>1.2.4</version>
            <type>jar</type>

            <exclusions>
                <exclusion>
                    <groupId>log4j</groupId>
                    <artifactId>log4j</artifactId>
                </exclusion>
            </exclusions>

        </dependency>

        ...
    </dependencies>

</project>
```

If the project is managed by GitHub workflow, don't forget to add credentials for the
`github_openaims` repository in your `maven-settings.xml` file:
```
<settings ...>
    ...
    <servers>
        <!-- Used by GitHub server to resolve Open-AIMS dependencies when running tests or building the package -->
        <server>
            <id>github_openaims</id>
            <username>${env.GITHUB_USERNAME}</username>
            <password>${env.GITHUB_TOKEN}</password>
        </server>
    </servers>
</settings>
```

## Creation of the jar

How this jar was created:

### Copying the original files

Copy the jar from your local maven repo to this project:
```
$ cp ~/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar jar/log4j-1.2.17-aims.jar
```

### Modifying the JAR

Reference: https://access.redhat.com/security/cve/CVE-2021-4104

Remove the offending class:
```
$ zip -q -d jar/log4j-1.2.17-aims.jar org/apache/log4j/net/JMSAppender.class
```

### Deploy in Maven Open-AIMS as a MVN library

Create a new release on GitHub
文件快照

 [4.0K]  /data/pocs/9a8f907730199a8b04bacfda5aefa39b16dbdca9
├── [4.0K]  jar
│   └── [470K]  log4j-1.2.17-aims.jar
├── [ 11K]  LICENSE
├── [ 508]  maven-settings.xml
├── [ 160]  NOTICE
├── [ 875]  pom.xml
└── [2.7K]  README.md

1 directory, 6 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。