spring-boot日志框架漏洞修复
spring-boot日志框架漏洞修复
版本问题
低于2.6.2的版本都存在log4j注入漏洞
方案一Log4j2
排除spring-boot-starter中的默认logging依赖
org.springframework.boot
spring-boot-starter
org.springframework.boot
spring-boot-starter-logging
org.springframework.boot
spring-boot-starter-log4j2
2.6.2
log4j2.xml
<?xml version="1.0" encoding="UTF-8"?>
third-api
/home/migu/portal-third-api/logs
100 MB
logback-spring.xml
<?xml version="1.0" encoding="UTF-8"?>
logback
debug
${CONSOLE_LOG_PATTERN}
UTF-8
方案二
org.springframework.boot
spring-boot-starter
org.springframework.boot
spring-boot-starter-logging
org.springframework.boot
spring-boot-starter-log4j2
org.apache.logging.log4j
log4j-core
org.apache.logging.log4j
log4j-api
org.apache.logging.log4j
log4j-slf4j-impl
org.apache.logging.log4j
log4j-to-slf4j
org.apache.logging.log4j
log4j-jul
org.apache.logging.log4j
log4j-slf4j-impl
${log4j2.version}
org.apache.logging.log4j
log4j-api
${log4j2.version}
org.apache.logging.log4j
log4j-core
${log4j2.version}
org.apache.logging.log4j
log4j-jul
${log4j2.version}
org.apache.logging.log4j
log4j-to-slf4j
${log4j2.version}
logging升级
待更新。。。