关于log4j2 漏洞
- Java 8 (or later) users should upgrade to release 2.16.0.
- Java 7 users should upgrade to release 2.12.2.
- Otherwise, in any release other than 2.16.0, you may remove the JndiLookup class from the classpath:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
# 使用zip命令 删除log4j-core jar包里面的JndiLookup.class 类 # -q 不显示指令执行过程 # -d 从压缩文件内删除指定的文件 zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
# 官方建议log4j 2.16.0 以上不易启动JNDI ,如果使用JMS Appender 使用log4j 2.12.2
Users are advised not to enable JNDI in Log4j 2.16.0. If the JMS Appender is required, use Log4j 2.12.2.
Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this.