https://deploy-preview-3207--dubbo.netlify.app/en/latest/notices/Recent content in Announcement on Apache DubboHugoenhttps://deploy-preview-3207--dubbo.netlify.app/en/latest/notices/security/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3207--dubbo.netlify.app/en/latest/notices/security/<h2 id="1-log4j-cve-2021-44228-漏洞">1. Log4j CVE-2021-44228 漏洞</h2> <p>最近，主流日志组件 <a href="https://logging.apache.org/log4j/2.x/">log4j2</a> 爆出<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228">安全漏洞 CVE-2021-44228</a>。</p> <p>以下是漏洞 CVE-2021-44228 对 Apache Dubbo 框架的影响总结及用户应对指南。</p> <h2 id="dubbo-影响范围">Dubbo 影响范围</h2> <p><strong>该漏洞对 Dubbo 框架使用安全并无影响。</strong></p> <p>Dubbo 本身不强依赖 log4j2 框架，也不会通过依赖传递将 log4j2 带到业务工程中去，因此，正在使用 Dubbo 2.7.x、3.0.x 等版本的用户均无需强制升级 Dubbo 版本。</p> <p>以下是 Dubbo 各组件对 log4j2 的依赖分析，涉及 <code>dubbo-common</code>、<code>dubbo-spring-boot-starter</code>、<code>dubbo-spring-boot-actuator</code>：</p> <ul> <li>dubbo-common 包含对 <code>log4j-core</code> 的可选依赖，请检查项目自身是否启用了 log4j 依赖，如启用则对应升级即可。</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span>[INFO] --- maven-dependency-plugin:3.1.2:tree (default-cli) @ dubbo-common --- </span></span><span style="display:flex;"><span>[INFO] org.apache.dubbo:dubbo-common:jar:2.7.14-SNAPSHOT </span></span><span style="display:flex;"><span>[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.11.1:provided </span></span><span style="display:flex;"><span>[INFO] \- org.apache.logging.log4j:log4j-core:jar:2.11.1:provided </span></span></code></pre></div><ul> <li>dubbo-spring-boot-starter 通过 spring-boot 组件传递了 log4j-api 依赖，log4j-api 本身并无安全问题，升级 log4j-core 组件时注意与 log4j-api 的兼容性</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span>[INFO] --- maven-dependency-plugin:3.1.2:tree (default-cli) @ dubbo-spring-boot-starter --- </span></span><span style="display:flex;"><span>[INFO] org.apache.dubbo:dubbo-spring-boot-starter:jar:2.7.14-SNAPSHOT </span></span><span style="display:flex;"><span>[INFO] \- org.springframework.boot:spring-boot-starter:jar:2.3.1.RELEASE:compile (optional) </span></span><span style="display:flex;"><span>[INFO] \- org.springframework.boot:spring-boot-starter-logging:jar:2.3.1.RELEASE:compile (optional) </span></span><span style="display:flex;"><span>[INFO] \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile (optional) </span></span><span style="display:flex;"><span>[INFO] \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile (optional) </span></span></code></pre></div><ul> <li>dubbo-spring-boot-actuator 通过 spring-boot 组件传递了 log4j-api 依赖，log4j-api 本身并无安全问题，升级 log4j-core 组件时应注意与 log4j-api 的兼容性</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#93a1a1;background-color:#002b36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span>[INFO] org.apache.dubbo:dubbo-spring-boot-actuator:jar:2.7.14-SNAPSHOT </span></span><span style="display:flex;"><span>[INFO] \- org.springframework.boot:spring-boot-starter-web:jar:2.3.1.RELEASE:compile (optional) </span></span><span style="display:flex;"><span>[INFO] \- org.springframework.boot:spring-boot-starter:jar:2.3.1.RELEASE:compile </span></span><span style="display:flex;"><span>[INFO] \- org.springframework.boot:spring-boot-starter-logging:jar:2.3.1.RELEASE:compile </span></span><span style="display:flex;"><span>[INFO] \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile </span></span><span style="display:flex;"><span>[INFO] \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile </span></span></code></pre></div><h2 id="2-序列化">2. 序列化</h2> <p>Dubbo 支持序列化协议的扩展，理论上用户可以基于该扩展机制启用任意的序列化协议，这带来了极大的灵活的，但同时也要意识到其中潜藏的安全性风险。 数据反序列化是最容易被被攻击者利用的一个环节，攻击者利用它执行 RCE 攻击等窃取或破坏服务端数据，用户在切换序列化协议或实现前， 应充分调研目标序列化协议及其框架实现的安全性保障，并提前设置相应的安全措施（如设置黑/白名单）。Dubbo 框架自身并不能保证目标序列化机制的安全性。</p>