[dubbo-website] branch master updated: add log4j vulnerability announcement

liujun Sat, 11 Dec 2021 01:32:19 -0800

This is an automated email from the ASF dual-hosted git repository.

liujun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/dubbo-website.git



The following commit(s) were added to refs/heads/master by this push:
     new 2dc12e7  add log4j vulnerability announcement
2dc12e7 is described below

commit 2dc12e74f34cd5e171f09a2d86897d21a411e113
Author: ken.lj <[email protected]>
AuthorDate: Sat Dec 11 17:30:34 2021 +0800

    add log4j vulnerability announcement
---
 content/en/docs/notices/security.md | 48 ++++++++++++++++++++++++++++++++++--
 content/zh/notices/security.md      | 49 +++++++++++++++++++++++++++++++++++--
 2 files changed, 93 insertions(+), 4 deletions(-)

diff --git a/content/en/docs/notices/security.md 
b/content/en/docs/notices/security.md
index bb6983c..45a2735 100755
--- a/content/en/docs/notices/security.md
+++ b/content/en/docs/notices/security.md
@@ -3,12 +3,56 @@
 type: docs
 title: "vulnerability"
 linkTitle: "vulnerability"
-description: "Deserialization Vulnerability"
+description: "Vulnerability descriptions"
 weight: 90
 ---
 
+## 1. Log4j CVE-2021-44228
 
-## Third-party Deserialization Library Vulnerabilities
+Recently, the mainstream log framework 
[log4j2](https://logging.apache.org/log4j/2.x/) was reported with a severe 
security vulnerability 
[cve-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).
+
+The following is a summary of the impact of this vulnerability cve-2021-44228 
on the Apache Dubbo framework and the user's guide.
+
+### Potential Influence on Dubbo
+
+**CVE-2021-44228 has no security impact on use of Dubbo framework**
+
+Dubbo itself does not rely on the log4j2 framework, nor will it bring log4j2 
to the project through dependency transfer. Therefore, Dubbo users of version 
2.7.x and 3.0.x do not need to upgrade their Dubbo versions.
+
+The following is the dependency analysis of Dubbo components on log4j2, 
involving `Dubbo common`, `Dubbo spring boot starter` and `Dubbo spring boot 
actuator`:
+
+* `dubbo-common` optionally depends on `log4j-core`. The only need to check is 
whether the project itself has enabled log4j dependency. If so, upgrade 
accordingly.
+
+```xml
+[INFO] --- maven-dependency-plugin:3.1. 2:tree (default-cli) @ dubbo-common ---
+[INFO] org. apache. dubbo:dubbo-common:jar:2.7. 14-SNAPSHOT
+[INFO] +- org. apache. logging. log4j:log4j-api:jar:2.11. 1:provided
+[INFO] \- org. apache. logging. log4j:log4j-core:jar:2.11. 1:provided
+```
+
+* `dubbo-spring-boot-starter` transfers log4j-api dependency through 
spring-boot. log4j-api itself has no security issue. But pay attention to 
compatibility with log4j-api when upgrading the log4j-core component
+
+```xml
+[INFO] org. apache. dubbo:dubbo-spring-boot-starter:jar:2.7. 14-SNAPSHOT
+[INFO] \- org. springframework. boot:spring-boot-starter:jar:2.3. 
1.RELEASE:compile (optional)
+[INFO] \- org. springframework. boot:spring-boot-starter-logging:jar:2.3. 
1.RELEASE:compile (optional)
+[INFO] \- org. apache. logging. log4j:log4j-to-slf4j:jar:2.13. 3:compile 
(optional)
+[INFO] \- org. apache. logging. log4j:log4j-api:jar:2.13. 3:compile (optional)
+```
+
+* `dubbo-spring-boot-actuator` transfers log4j-api dependency through 
spring-boot. log4j-api itself has no security issue. But pay attention to 
compatibility with log4j-api when upgrading the log4j-core component
+
+
+```xml
+[INFO] org. apache. dubbo:dubbo-spring-boot-actuator:jar:2.7. 14-SNAPSHOT
+[INFO] \- org. springframework. boot:spring-boot-starter-web:jar:2.3. 
1.RELEASE:compile (optional)
+[INFO] \- org. springframework. boot:spring-boot-starter:jar:2.3. 
1.RELEASE:compile
+[INFO] \- org. springframework. boot:spring-boot-starter-logging:jar:2.3. 
1.RELEASE:compile
+[INFO] \- org. apache. logging. log4j:log4j-to-slf4j:jar:2.13. 3:compile
+[INFO] \- org. apache. logging. log4j:log4j-api:jar:2.13. 3:compile
+```
+
+## 2. Third-party Deserialization Library Vulnerabilities
 Dubbo supports the extension of serialization protocol. Theoretically, users 
can enable serialization protocol with arbitrary order based on the extension 
mechanism, which brings great flexibility, but at the same time, they should be 
aware of the potential security risks.
 Data deserialization is one of the most vulnerable links to be exploited by 
attackers. Attackers use it to steal or destroy server-side data, such as rce 
attack. 
 Before switching the serialization protocol or implementation, the user should 
fully investigate the security guarantee of target serialization protocol and 
its framework implementation, and set corresponding security measures in 
advance (such as setting Black / white list). The Dubbo framework itself cannot 
guarantee the security of the target serialization mechanism.
diff --git a/content/zh/notices/security.md b/content/zh/notices/security.md
index 3eda1c9..e665d76 100755
--- a/content/zh/notices/security.md
+++ b/content/zh/notices/security.md
@@ -3,12 +3,57 @@
 type: docs
 title: "安全漏洞"
 linkTitle: "安全漏洞"
-description: "序列化相关的安全问题说明"
+description: "安全漏洞说明"
 weight: 90
 ---
 
+## 1. Log4j CVE-2021-44228 漏洞
 
-## 序列化
+最近，主流日志组件 [log4j2](https://logging.apache.org/log4j/2.x/) 爆出[安全漏洞 
CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228)。
+
+以下是漏洞 CVE-2021-44228 对 Apache Dubbo 框架的影响总结及用户应对指南。
+
+## Dubbo 影响范围
+**该漏洞对 Dubbo 框架使用安全并无影响。**
+
+Dubbo 本身不强依赖 log4j2 框架，也不会通过依赖传递将 log4j2 带到业务工程中去，因此，正在使用 Dubbo 2.7.x、3.0.x 
等版本的用户均无需强制升级 Dubbo 版本。
+
+以下是 Dubbo 各组件对 log4j2 的依赖分析，涉及 
`dubbo-common`、`dubbo-spring-boot-starter`、`dubbo-spring-boot-actuator`：
+
+* dubbo-common 包含对 `log4j-core` 的可选依赖，请检查项目自身是否启用了 log4j 依赖，如启用则对应升级即可。
+```xml
+[INFO] --- maven-dependency-plugin:3.1.2:tree (default-cli) @ dubbo-common ---
+[INFO] org.apache.dubbo:dubbo-common:jar:2.7.14-SNAPSHOT
+[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.11.1:provided
+[INFO] \- org.apache.logging.log4j:log4j-core:jar:2.11.1:provided
+
+```
+
+* dubbo-spring-boot-starter 通过 spring-boot 组件传递了 log4j-api 依赖，log4j-api 
本身并无安全问题，升级 log4j-core 组件时注意与 log4j-api 的兼容性
+
+```xml
+[INFO] --- maven-dependency-plugin:3.1.2:tree (default-cli) @ 
dubbo-spring-boot-starter ---
+[INFO] org.apache.dubbo:dubbo-spring-boot-starter:jar:2.7.14-SNAPSHOT
+[INFO] \- 
org.springframework.boot:spring-boot-starter:jar:2.3.1.RELEASE:compile 
(optional) 
+[INFO]    \- 
org.springframework.boot:spring-boot-starter-logging:jar:2.3.1.RELEASE:compile 
(optional) 
+[INFO]       \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile 
(optional) 
+[INFO]          \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile 
(optional) 
+
+```
+
+* dubbo-spring-boot-actuator 通过 spring-boot 组件传递了 log4j-api 依赖，log4j-api 
本身并无安全问题，升级 log4j-core 组件时应注意与 log4j-api 的兼容性
+
+```xml
+[INFO] org.apache.dubbo:dubbo-spring-boot-actuator:jar:2.7.14-SNAPSHOT
+[INFO] \- 
org.springframework.boot:spring-boot-starter-web:jar:2.3.1.RELEASE:compile 
(optional) 
+[INFO]    \- 
org.springframework.boot:spring-boot-starter:jar:2.3.1.RELEASE:compile
+[INFO]       \- 
org.springframework.boot:spring-boot-starter-logging:jar:2.3.1.RELEASE:compile
+[INFO]          \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile
+[INFO]             \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile
+```
+
+
+## 2. 序列化
 Dubbo 支持序列化协议的扩展，理论上用户可以基于该扩展机制启用任意的序列化协议，这带来了极大的灵活的，但同时也要意识到其中潜藏的安全性风险。
 数据反序列化是最容易被被攻击者利用的一个环节，攻击者利用它执行 RCE 攻击等窃取或破坏服务端数据，用户在切换序列化协议或实现前，
 应充分调研目标序列化协议及其框架实现的安全性保障，并提前设置相应的安全措施（如设置黑/白名单）。Dubbo 框架自身并不能保证目标序列化机制的安全性。

[dubbo-website] branch master updated: add log4j vulnerability announcement

Reply via email to