你的位置:首页 > 信息动态 > 新闻中心
信息动态
联系我们

中恒嘉业

地址:北京市海淀区苏州街大河庄苑底4号楼0105号

电话:15910357833

QQ::823598168

邮件:823598168@qq.com

网站:http://www.zizl.cn

更多
更多

JAVA Web工程项目log4j1升级到log4j2

2021/12/28 18:10:02

升级原因:Log4j 2.14以下或者更老的版本有个严重bug,具体如下描述

A critical vulnerability in Apache's popular Log4j Java library, CVE-2021-44228 (CVSS score 10) was published Friday, causing us concern. On Saturday, many of your colleagues across Engineering, TechOps and Security spent the day fixing the Log4j instances we know to be open to the internet. New attacks have proven that the risk of unpatched Log4j instances anywhere in eHealth’s digital infrastructure could put eHealth at severe risk. 

Also known as Log4shell, Apache's Log4j security update explains that in versions 2.14.1 and older versions of the library, attackers could gain control over log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Since the discovery, Apache quickly fixed this issue and released log4j version 2.15.0, disabling this behavior by default.

正式更新步骤:

1. 在build path中 移除项目对log4j-1.2.6.jar的引用,并物理删除log4j-1.2.6.jar文件

2.复制下面4个文件到WEB-INF/lib下

  • log4j-core-2.16.0.jar
  • log4j-api-2.16.0.jar
  • log4j-1.2-api-2.16.0.jar
  • log4j-web-2.16.0.jar

3.在build path中添加对上面复制的4个文件的引用

4.修正web.xml文件

<!-- ***** log4j ***** -->
    <!-- 
    <context-param>
      <param-name>webAppRootKey</param-name>
      <param-value>bookliner.root</param-value>
    </context-param>

    <context-param>
      <param-name>log4jConfigLocation</param-name>
      <param-value>classpath:log4j-unittest.xml</param-value>
    </context-param>

    <listener>
      <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
    </listener>
    -->

    <!-- log4j2-begin -->
    <context-param>
        <param-name>log4jConfiguration</param-name>
        <param-value>classpath:log4j2.xml</param-value>
    </context-param>

    <listener>
        <listener-class>org.apache.logging.log4j.web.Log4jServletContextListener</listener-class>
    </listener>
    <filter>
        <filter-name>log4jServletFilter</filter-name>
        <filter-class>org.apache.logging.log4j.web.Log4jServletFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>log4jServletFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
        <dispatcher>ERROR</dispatcher>
    </filter-mapping>
    <!-- log4j2-end -->

5.根据原来的log4j.xml来编写log4j2.xml文件, 删除log4j.xml.

log4j2.xml文件内容,例如:

<?xml version="1.0" encoding="UTF-8"?>

<Configuration status="WARN" monitorInterval="30">
    <Properties>
        <Property name="LOG_HOME">logs</Property>
        <property name="ERROR_LOG_FILE_NAME">logs</property>
        <property name="WARN_LOG_FILE_NAME">logs</property>
        <property name="PATTERN">%d{yyyy-MM-dd HH:mm:ss} [%L] %-5level %logger{36} - %msg%n</property>
    </Properties>

    <Appenders>
        <Console name="Console" target="SYSTEM_OUT">
            <ThresholdFilter level="info" onMatch="ACCEPT" onMismatch="DENY" />
            <PatternLayout pattern="${PATTERN}" />
        </Console>

        <File name="log" fileName="logs/test.log" append="false">
            <PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss} [%t] %-5level %logger{36} - %msg%n"/>
        </File>

        <RollingFile name="RollingFileInfo" fileName="${LOG_HOME}/info.log"
                     filePattern="${LOG_HOME}/$${date:yyyy-MM}/info-%d{yyyy-MM-dd}-%i.log">
            <ThresholdFilter level="info" onMatch="ACCEPT" onMismatch="DENY" />
            <PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss} [%t] %-5level %logger{36} - %msg%n" />
            <Policies>
                <TimeBasedTriggeringPolicy interval="1" modulate="true" />
            </Policies>
        </RollingFile>

        <RollingFile name="RollingFileWarn" fileName="${WARN_LOG_FILE_NAME}/warn.log"
                     filePattern="${WARN_LOG_FILE_NAME}/$${date:yyyy-MM}/warn-%d{yyyy-MM-dd}-%i.log">
            <ThresholdFilter level="warn" onMatch="ACCEPT" onMismatch="DENY" />
            <PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss} [%t] %-5level %logger{36} - %msg%n" />
            <Policies>
                <TimeBasedTriggeringPolicy />
                <SizeBasedTriggeringPolicy size="2 kB" />
            </Policies>
            <DefaultRolloverStrategy max="20" />
        </RollingFile>

        <RollingFile name="RollingFileError" fileName="${ERROR_LOG_FILE_NAME}/error.log"
                     filePattern="${ERROR_LOG_FILE_NAME}/$${date:yyyy-MM}/error-%d{yyyy-MM-dd-HH-mm}-%i.log">
            <ThresholdFilter level="error" onMatch="ACCEPT" onMismatch="DENY" />
            <PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss} [%t] %-5level %logger{36} - %msg%n" />
            <Policies>
                <TimeBasedTriggeringPolicy interval="1" modulate="true" />
            </Policies>
        </RollingFile>
    </Appenders>

    <Loggers>
        <logger name="org.springframework" level="INFO"></logger>
        <logger name="org.mybatis" level="INFO"></logger>
        <logger name="org.springframework.core" level="info" />
        <logger name="org.springframework.beans" level="info" />
        <logger name="org.springframework.context" level="info" />
        <logger name="org.springframework.web" level="info" />
        <logger name="org.jboss.netty" level="warn" />
        <logger name="org.apache.http" level="warn" />
        <root level="all">
            <appender-ref ref="Console"/>
            <appender-ref ref="RollingFileInfo"/>
            <appender-ref ref="RollingFileWarn"/>
            <appender-ref ref="RollingFileError"/>
        </root>
    </Loggers>
</Configuration>

完成以上5步即可完成log4j的升级