发现Apachelog4j2.1.5处理CVE-2021-44228的修复在某些非默认配置中不完全允许攻击者控制线程上下文输入数据,当日志配置使用非默认模式布局时,上下文查取(例如${ctx:loginId})或线程上下文图模式(%X,%mdc或%Mdc)使用JNDI查找模式编译恶意输入数据,导致信息泄漏和远程代码执行,并在所有环境执行局部代码Log4j2.16.0(Java8)和2.12.2(Java7)清除对消息查找模式的支持并默认禁止JNDI功能修复这一问题
https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf
https://logging.apache.org/log4j/2.x/security.html
https://security.gentoo.org/glsa/202310-16
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
https://www.cve.org/CVERecord?id=CVE-2021-44228
https://www.debian.org/security/2021/dsa-5022
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
https://www.kb.cert.org/vuls/id/930724
https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
http://www.openwall.com/lists/oss-security/2021/12/14/4