search
HomeOperation and MaintenanceApacheApache Log4j 2.17.0 has been released! See what problem was solved?

Apache Log4j 2.17.0 has been released! See what problem was solved?

藏色散人
藏色散人
Dec 20, 2021 am 11:09 AM
apache

Apache Log4j version 2.17.0 has been officially released, solving the third discovered security vulnerability, CVE-2021-45105.

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 do not prevent uncontrolled recursion of self-referential lookups. When the log configuration uses a non-default Pattern Layout and Context Lookup (for example, $${ctx:loginId}), an attacker who controls the thread context map (MDC) input data can craft malicious input data containing recursive lookups, causing a StackOverflowError. Thereby terminating the process. This is also called a DoS attack. [Recommended: Apache Usage Tutorial]

Starting from version 2.17.0 (for Java 8), only the search string in the configuration will be recursively expanded; in any other usage, Only top-level lookups are parsed, not any nested lookups.

In previous versions, this issue could be mitigated by ensuring that your logging configuration did the following:

  • In the logging configuration In the PatternLayout, replace Context Lookups such as ${ctx:loginId} or $${ctx:loginId} with the Thread Context Map pattern (%X, %mdc or %MDC).

  • Otherwise, remove references to Context Lookups such as ${ctx:loginId} or ${ctx:loginId} in the configuration; they originate from sources outside the application, such as HTTP headers or user input..

The specific updates of version 2.17.0 include:

  • Fixed string replacement recursion. Fix LOG4J2-3230

  • Restrict JNDI to java protocol only. By default, JNDI will remain disabled. Renamed JNDI enable properties from "log4j2.enableJndi" to "log4j2.enableJndiLookup", "log4j2.enableJndiJms", and "log4j2.enableJndiContextSelector". Fix LOG4J2-3242

  • JNDI is limited to java protocol. By default, JNDI will remain disabled. The enable property has been renamed to "log4j2.enableJndiJava". Fix LOG4J2-3242

  • Do not declare log4j-api-java9 and log4j-core-java9 as dependencies as this will cause problems with the Maven enforcer plugin. Fix LOG4J2-3241

  • PropertiesConfiguration.parseAppenderFilters NPE when parsing properties file filters. Fix LOG4J2-3247

  • #Syslog Appender's Log4j 1.2 bridge defaults to port 512 instead of 514. Fix LOG4J2-3249

  • Log4j 1.2 bridge API hardcodes Syslog protocol to TCP. Fix LOG4J2-3237

The above is the detailed content of Apache Log4j 2.17.0 has been released! See what problem was solved?. For more information, please follow other related articles on the PHP Chinese website!

Statement
This article is reproduced at:OSC开源社区. If there is any infringement, please contact admin@php.cn delete
Related Article
What Defined Apache? Its Core FunctionalityWhat Defined Apache? Its Core FunctionalityMay 09, 2025 am 12:21 AM

The core function of Apache is modular design and high customization, allowing it to meet various web service needs. 1. Modular design allows for extended functions by loading different modules. 2. Supports multiple operating systems and is suitable for different environments. 3. Multi-process, multi-threaded and event-driven models improve performance. 4. The basic usage includes configuring the virtual host and document root directory. 5. Advanced usage involves URL rewriting, load balancing and reverse proxying. 6. Common errors can be debugged through syntax checking and log analysis. 7. Performance optimization includes adjusting MPM settings and enabling cache.

Apache's Continued Use: Web Hosting and BeyondApache's Continued Use: Web Hosting and BeyondMay 08, 2025 am 12:15 AM

What makes Apache still popular in modern web environments is its powerful capabilities and flexibility. 1) Modular design allows custom functions such as security certification and load balancing. 2) Support multiple operating systems to enhance popularity. 3) Efficiently handle concurrent requests, suitable for various application scenarios.

Apache: From Open Source to Industry StandardApache: From Open Source to Industry StandardMay 07, 2025 am 12:05 AM

The reasons why Apache has developed from an open source project to an industry standard include: 1) community-driven, attracting global developers to participate; 2) standardization and compatibility, complying with Internet standards; 3) business support and ecosystem, and obtaining enterprise-level market support.

Apache's Legacy: Impact on Web HostingApache's Legacy: Impact on Web HostingMay 06, 2025 am 12:03 AM

Apache's impact on Webhosting is mainly reflected in its open source features, powerful capabilities and flexibility. 1) Open source features lower the threshold for Webhosting. 2) Powerful features and flexibility make it the first choice for large websites and businesses. 3) The virtual host function saves costs. Although performance may decline in high concurrency conditions, Apache remains competitive through continuous optimization.

Apache: The History and Contributions to the WebApache: The History and Contributions to the WebMay 05, 2025 am 12:14 AM

Originally originated in 1995, Apache was created by a group of developers to improve the NCSAHTTPd server and become the most widely used web server in the world. 1. Originated in 1995, it aims to improve the NCSAHTTPd server. 2. Define the Web server standards and promote the development of the open source movement. 3. It has nurtured important sub-projects such as Tomcat and Kafka. 4. Facing the challenges of cloud computing and container technology, we will focus on integrating with cloud-native technologies in the future.

Apache's Impact: Shaping the InternetApache's Impact: Shaping the InternetMay 04, 2025 am 12:05 AM

Apache has shaped the Internet by providing a stable web server infrastructure, promoting open source culture and incubating important projects. 1) Apache provides a stable web server infrastructure and promotes innovation in web technology. 2) Apache has promoted the development of open source culture, and ASF has incubated important projects such as Hadoop and Kafka. 3) Despite the performance challenges, Apache's future is still full of hope, and ASF continues to launch new technologies.

The Legacy of Apache: A Look at Its Impact on Web ServersThe Legacy of Apache: A Look at Its Impact on Web ServersMay 03, 2025 am 12:03 AM

Since its creation by volunteers in 1995, ApacheHTTPServer has had a profound impact on the web server field. 1. It originates from dissatisfaction with NCSAHTTPd and provides more stable and reliable services. 2. The establishment of the Apache Software Foundation marks its transformation into an ecosystem. 3. Its modular design and security enhance the flexibility and security of the web server. 4. Despite the decline in market share, Apache is still closely linked to modern web technologies. 5. Through configuration optimization and caching, Apache improves performance. 6. Error logs and debug mode help solve common problems.

Apache's Purpose: Serving Web ContentApache's Purpose: Serving Web ContentMay 02, 2025 am 12:23 AM

ApacheHTTPServer continues to efficiently serve Web content in modern Internet environments through modular design, virtual hosting functions and performance optimization. 1) Modular design allows adding functions such as URL rewriting to improve website SEO performance. 2) Virtual hosting function hosts multiple websites on one server, saving costs and simplifying management. 3) Through multi-threading and caching optimization, Apache can handle a large number of concurrent connections, improving response speed and user experience.

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Show More

Hot Article

Roblox: Grow A Garden - Complete Mutation Guide
3 weeks agoByDDD
Roblox: Bubble Gum Simulator Infinity - How To Get And Use Royal Keys
3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
How to fix KB5055612 fails to install in Windows 10?
3 weeks agoByDDD
Nordhold: Fusion System, Explained
3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Mandragora: Whispers Of The Witch Tree - How To Unlock The Grappling Hook
3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Show More

Hot Tools

SecLists

SecLists

SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.

Dreamweaver Mac version

Dreamweaver Mac version

Visual web development tools

MinGW - Minimalist GNU for Windows

MinGW - Minimalist GNU for Windows

This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.

SublimeText3 English version

SublimeText3 English version

Recommended: Win version, supports code prompts!

WebStorm Mac version

WebStorm Mac version

Useful JavaScript development tools

Show More

Hot Topics

Java Tutorial
1665
14
CakePHP Tutorial
1424
52
Laravel Tutorial
1322
25
PHP Tutorial
1270
29
C# Tutorial
1249
24
Show More