MiraiForum

    • Register
    • Login
    • Search
    • Popular
    • Recent
    • Unsolved
    • Tags
    • Groups
    • 友情链接

    mcl的log4j安全问题

    BUG反馈
    1
    3
    74
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xiran last edited by

      目前最新版本的mcl(Mirai Console Loader)v2.1.0使用的是mirai-core-all-2.11.0.jar包,此包中的log4j并没有对此前log4j的漏洞进行修复

      1 Reply Last reply Reply Quote 0
      • X
        xiran last edited by

        初步解决,在mcl下的config.json配置文件可更改mirai-core-all版本到更高版本

        1 Reply Last reply Reply Quote 0
        • X
          xiran last edited by

          mirai 使用 log4j 只是为了允许用其他日志系统替换内置。而且 mirai 默认只使用 SimpleMessage,应该没有安全问题。如果用户要用 log4j 接管日志,那么这就是用户的责任来解决安全问题(使用更好版本依赖覆盖 mirai 的)

          根据log4j官网对simplemessage的解释:The simplest possible implementation of Message. It just returns the String given as the constructor argument.
          得知SimpleMessage只返回作为构造函数参数给出的字符串,不会对字符串中的${}等内容解析,也就不会触发漏洞

          参考来源:
          https://logging.apache.org/log4j/log4j-2.3.2/log4j-api/apidocs/org/apache/logging/log4j/message/SimpleMessage.html
          https://github.com/mamoe/mirai/issues/1969

          按照此处说法,若不接管或者修改mirai的log4j日志不会存在远程执行漏洞,若你修改或者接管了mirai的log4j日志,请考虑升级mirai-core-all等mcl依赖包中log4j的版本

          shirok1 created this issue in mamoe/mirai

          closed 请考虑升级 log4j 版本到 2.17.2 #1969

          1 Reply Last reply Reply Quote 0
          • 1 / 1
          • First post
            Last post
          Powered by Mamoe Technologies & NodeBB | 友情链接 | 服务监控 | Contact us