Notes on Apache Log4j Zero Day (CVE-2021-44228) #9380

chickenlj · 2021-12-11T08:22:07Z

CVE-2021-44228 Annoucement

Recently, the mainstream log framework log4j2 was reported with a severe security vulnerability cve-2021-44228.

The following is a summary of the impact of this vulnerability cve-2021-44228 on the Apache Dubbo framework and the user's guide.

Potential Influence on Dubbo

CVE-2021-44228 has no security impact on use of Dubbo framework

Dubbo itself does not rely on the log4j2 framework, nor will it bring log4j2 to the project through dependency transfer. Therefore, Dubbo users of version 2.7.x and 3.0.x do not need to upgrade their Dubbo versions.

The following is the dependency analysis of Dubbo components on log4j2, involving Dubbo common, Dubbo spring boot starter and Dubbo spring boot actuator:

dubbo-common optionally depends on log4j-core. The only need to check is whether the project itself has enabled log4j dependency. If so, upgrade accordingly.

[INFO] --- maven-dependency-plugin:3.1. 2:tree (default-cli) @ dubbo-common ---
[INFO] org. apache. dubbo:dubbo-common:jar:2.7. 14-SNAPSHOT
[INFO] +- org. apache. logging. log4j:log4j-api:jar:2.11. 1:provided
[INFO] \- org. apache. logging. log4j:log4j-core:jar:2.11. 1:provided

dubbo-spring-boot-starter transfers log4j-api dependency through spring-boot. log4j-api itself has no security issue. But pay attention to compatibility with log4j-api when upgrading the log4j-core component

[INFO] org. apache. dubbo:dubbo-spring-boot-starter:jar:2.7. 14-SNAPSHOT
[INFO] \- org. springframework. boot:spring-boot-starter:jar:2.3. 1.RELEASE:compile (optional)
[INFO] \- org. springframework. boot:spring-boot-starter-logging:jar:2.3. 1.RELEASE:compile (optional)
[INFO] \- org. apache. logging. log4j:log4j-to-slf4j:jar:2.13. 3:compile (optional)
[INFO] \- org. apache. logging. log4j:log4j-api:jar:2.13. 3:compile (optional)

dubbo-spring-boot-actuator transfers log4j-api dependency through spring-boot. log4j-api itself has no security issue. But pay attention to compatibility with log4j-api when upgrading the log4j-core component

[INFO] org. apache. dubbo:dubbo-spring-boot-actuator:jar:2.7. 14-SNAPSHOT
[INFO] \- org. springframework. boot:spring-boot-starter-web:jar:2.3. 1.RELEASE:compile (optional)
[INFO] \- org. springframework. boot:spring-boot-starter:jar:2.3. 1.RELEASE:compile
[INFO] \- org. springframework. boot:spring-boot-starter-logging:jar:2.3. 1.RELEASE:compile
[INFO] \- org. apache. logging. log4j:log4j-to-slf4j:jar:2.13. 3:compile
[INFO] \- org. apache. logging. log4j:log4j-api:jar:2.13. 3:compile

Follow up actions

Dubbo will release 2.7.x and 3.0.x soon to upgrade optional log4j-core dependency to its latest secure version. Please stay tuned with the community and upgrade as needed.

CVE-2021-44228 漏洞说明

最近，主流日志组件 log4j2 爆出安全漏洞 CVE-2021-44228。

以下是漏洞 CVE-2021-44228 对 Apache Dubbo 框架的影响总结及用户应对指南。

Dubbo 影响范围

该漏洞对 Dubbo 框架使用安全并无影响。

Dubbo 本身不强依赖 log4j2 框架，也不会通过依赖传递将 log4j2 带到业务工程中去，因此，正在使用 Dubbo 2.7.x、3.0.x 等版本的用户均无需强制升级 Dubbo 版本。

以下是 Dubbo 各组件对 log4j2 的依赖分析，涉及 dubbo-common、dubbo-spring-boot-starter、dubbo-spring-boot-actuator：

dubbo-common 包含对 log4j-core 的可选依赖，请检查项目自身是否启用了 log4j 依赖，如启用则对应升级即可。

[INFO] --- maven-dependency-plugin:3.1.2:tree (default-cli) @ dubbo-common ---
[INFO] org.apache.dubbo:dubbo-common:jar:2.7.14-SNAPSHOT
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.11.1:provided
[INFO] \- org.apache.logging.log4j:log4j-core:jar:2.11.1:provided

dubbo-spring-boot-starter 通过 spring-boot 组件传递了 log4j-api 依赖，log4j-api 本身并无安全问题，升级 log4j-core 组件时注意与 log4j-api 的兼容性

[INFO] --- maven-dependency-plugin:3.1.2:tree (default-cli) @ dubbo-spring-boot-starter ---
[INFO] org.apache.dubbo:dubbo-spring-boot-starter:jar:2.7.14-SNAPSHOT
[INFO] \- org.springframework.boot:spring-boot-starter:jar:2.3.1.RELEASE:compile (optional) 
[INFO]    \- org.springframework.boot:spring-boot-starter-logging:jar:2.3.1.RELEASE:compile (optional) 
[INFO]       \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile (optional) 
[INFO]          \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile (optional)

dubbo-spring-boot-actuator 通过 spring-boot 组件传递了 log4j-api 依赖，log4j-api 本身并无安全问题，升级 log4j-core 组件时应注意与 log4j-api 的兼容性

[INFO] org.apache.dubbo:dubbo-spring-boot-actuator:jar:2.7.14-SNAPSHOT
[INFO] \- org.springframework.boot:spring-boot-starter-web:jar:2.3.1.RELEASE:compile (optional) 
[INFO]    \- org.springframework.boot:spring-boot-starter:jar:2.3.1.RELEASE:compile
[INFO]       \- org.springframework.boot:spring-boot-starter-logging:jar:2.3.1.RELEASE:compile
[INFO]          \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile
[INFO]             \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile

后续动作

Dubbo 仍将在接下来的 2.7.x、3.0.x 最新版本中升级 log4j-core 可选（optional）依赖到最新安全版本，请持续关注社区动态并按需升级。

The text was updated successfully, but these errors were encountered:

chickenlj · 2021-12-27T09:13:07Z

Please upgrade to the latest 2.6.x, 2.7.15, 3.0.5 accordingly.

chickenlj added the type/discussion Everything related with code discussion or question label Dec 11, 2021

chickenlj pinned this issue Dec 11, 2021

chickenlj changed the title ~~Log4j CVE-2021-44228 漏洞影响说明~~ Notes on Apache Log4j Zero Day (CVE-2021-44228) Dec 17, 2021

chickenlj closed this as completed Dec 27, 2021

chickenlj unpinned this issue Feb 25, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Notes on Apache Log4j Zero Day (CVE-2021-44228) #9380

Notes on Apache Log4j Zero Day (CVE-2021-44228) #9380

chickenlj commented Dec 11, 2021 •

edited

Loading

chickenlj commented Dec 27, 2021

Notes on Apache Log4j Zero Day (CVE-2021-44228) #9380

Notes on Apache Log4j Zero Day (CVE-2021-44228) #9380

Comments

chickenlj commented Dec 11, 2021 • edited Loading

CVE-2021-44228 Annoucement

Potential Influence on Dubbo

Follow up actions

CVE-2021-44228 漏洞说明

Dubbo 影响范围

后续动作

chickenlj commented Dec 27, 2021

chickenlj commented Dec 11, 2021 •

edited

Loading