Skip to content

Fix security warning of log4j 0-day

Ryan Wang请求将github/fork/guqing/bugfix/log4j合并到master

Created by: guqing

What this PR does?

对齐 gradle 中 log4j 的依赖版本 到 2.15.0 以解决 log4j 0-day 安全漏洞 参考 gradle文档

最终对其后的依赖效果如下:

$ ./gradlew dependencies | grep log4j                                                                        
+--- org.apache.logging.log4j:log4j-core:2.15.0
|    +--- org.apache.logging.log4j:log4j-api:2.15.0 (c)
|    \--- org.apache.logging.log4j:log4j-api:2.15.0
|         +--- org.apache.logging.log4j:log4j-core:2.15.0 (c)
+--- org.apache.logging.log4j:log4j-api:2.15.0 (*)
|    |    |    +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1
|    |    |    |    \--- org.apache.logging.log4j:log4j-api:2.14.1 -> 2.15.0 (*)
|    +--- org.apache.logging.log4j:log4j-core:2.8.2 -> 2.15.0 (*)
|    \--- org.apache.logging.log4j:log4j-api:2.8.2 -> 2.15.0 (*)
+--- org.apache.logging.log4j:log4j-core:2.15.0 (n)
+--- org.apache.logging.log4j:log4j-api:2.15.0 (n)
+--- org.apache.logging.log4j:log4j-core:2.15.0
|    +--- org.apache.logging.log4j:log4j-api:2.15.0 (c)
|    \--- org.apache.logging.log4j:log4j-api:2.15.0
|         +--- org.apache.logging.log4j:log4j-core:2.15.0 (c)
+--- org.apache.logging.log4j:log4j-api:2.15.0 (*)
|    |    |    +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1
|    |    |    |    \--- org.apache.logging.log4j:log4j-api:2.14.1 -> 2.15.0 (*)
|    +--- org.apache.logging.log4j:log4j-core:2.8.2 -> 2.15.0 (*)
|    \--- org.apache.logging.log4j:log4j-api:2.8.2 -> 2.15.0 (*)
+--- org.apache.logging.log4j:log4j-core:2.15.0
|    +--- org.apache.logging.log4j:log4j-api:2.15.0 (c)
|    \--- org.apache.logging.log4j:log4j-api:2.15.0
|         +--- org.apache.logging.log4j:log4j-core:2.15.0 (c)
+--- org.apache.logging.log4j:log4j-api:2.15.0 (*)
|    |    |    +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1
|    |    |    |    \--- org.apache.logging.log4j:log4j-api:2.14.1 -> 2.15.0 (*)
|    +--- org.apache.logging.log4j:log4j-core:2.8.2 -> 2.15.0 (*)
|    \--- org.apache.logging.log4j:log4j-api:2.8.2 -> 2.15.0 (*)
+--- org.apache.logging.log4j:log4j-core:2.15.0
|    +--- org.apache.logging.log4j:log4j-api:2.15.0 (c)
|    \--- org.apache.logging.log4j:log4j-api:2.15.0
|         +--- org.apache.logging.log4j:log4j-core:2.15.0 (c)
+--- org.apache.logging.log4j:log4j-api:2.15.0 (*)
|    |    |    +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1
|    |    |    |    \--- org.apache.logging.log4j:log4j-api:2.14.1 -> 2.15.0 (*)
|    +--- org.apache.logging.log4j:log4j-core:2.8.2 -> 2.15.0 (*)
|    \--- org.apache.logging.log4j:log4j-api:2.8.2 -> 2.15.0 (*)
+--- org.apache.logging.log4j:log4j-core:2.15.0
|    +--- org.apache.logging.log4j:log4j-api:2.15.0 (c)
|    \--- org.apache.logging.log4j:log4j-api:2.15.0
|         +--- org.apache.logging.log4j:log4j-core:2.15.0 (c)
+--- org.apache.logging.log4j:log4j-api:2.15.0 (*)
|    |    |    +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1
|    |    |    |    \--- org.apache.logging.log4j:log4j-api:2.14.1 -> 2.15.0 (*)
|    +--- org.apache.logging.log4j:log4j-core:2.8.2 -> 2.15.0 (*)
|    \--- org.apache.logging.log4j:log4j-api:2.8.2 -> 2.15.0 (*)

Why we need it?

在广泛使用的 Java 日志库 Apache Log4j 中新发现的 0-day 漏洞很容易被利用,并使攻击者能够完全控制受影响的服务器。 该漏洞被跟踪为CVE-2021-44228,被归类为严重漏洞,允许未经身份验证的远程代码执行。

How to test it?

拉取该PR到本地运行后都点击一下看是否有功能不可用, 我已自测但还是需要拉取跑一下看看,以防止遗漏

合并请求报告