Log4j CVE-2021-44228 - MySQL主机中的漏洞
Log4j CVE-2021-44228 - MySQL主机中的漏洞
提问于 2021-12-13 05:51:38
我有一个关于我的一些Log4j主机中的MySQL漏洞(CVE-2021-44228)的问题。即使我看到它不是由MySQL安装的,我还是想确认MySQL是否在它的任何特性中使用这个包。
有没有办法找出在RHEL中使用特定rpm包的应用程序列表?
如果不依赖于MySQL,我可以与应用程序团队检查修复。
谢谢
回答 2
Database Administration用户
发布于 2021-12-13 07:37:03
你的朋友可能是apt depends <package-name>和apt rdepends <package-name>。
运行apt depends mysql-server将开始从MySQL中滚动:
root@servername:~# apt depends mysql-server
mysql-server
Depends: mysql-server-5.7对mysql-server-5.7运行相同的结果会产生:
root@servername:~# apt depends mysql-server-5.7
mysql-server-5.7
PreDepends: adduser (>= 3.40)
PreDepends: debconf
PreDepends: mysql-common (>= 5.5)
Depends: bsdutils
bsdutils:i386
Depends: lsb-base (>= 3.0-10)
Depends: mysql-client-5.7 (>= 5.7.36-0ubuntu0.18.04.1)
Depends: mysql-common (>= 5.8+1.0.4~)
Depends: mysql-server-core-5.7 (= 5.7.36-0ubuntu0.18.04.1)
Depends: passwd
passwd:i386
Depends: perl (>= 5.6)
Depends: psmisc
psmisc:i386
|Depends: debconf (>= 0.5)
Depends: <debconf-2.0>
cdebconf
debconf
Depends: libc6 (>= 2.14)
Depends: libevent-core-2.1-6 (>= 2.1.8-stable)
Depends: libgcc1 (>= 1:3.0)
Depends: liblz4-1 (>= 0.0~r127)
Depends: libssl1.1 (>= 1.1.1)
Depends: libstdc++6 (>= 5.2)
Depends: zlib1g (>= 1:1.1.4)
Conflicts: <mysql-client-5.5>
Conflicts: <mysql-server-5.5>
Conflicts: <virtual-mysql-server>
percona-xtradb-cluster-server-5.7
mariadb-server-10.1
Breaks: <mysql-server-5.6> (<< 5.7)
Recommends: libhtml-template-perl
Suggests: <mailx>
bsd-mailx
mailutils
Suggests: tinyca
Replaces: <mysql-client-5.5>
Replaces: <mysql-server-5.5>
Replaces: <mysql-server-5.6> (<< 5.7)
Replaces: <virtual-mysql-server>
percona-xtradb-cluster-server-5.7
mariadb-server-10.1
mysql-server-5.7因此,乍一看,没有任何迹象表明log4j参与其中。
让我们使用语法apt rdepends <package-name>进行反向查找:
root@servername:~# apt rdepends mysql-server-5.7
mysql-server-5.7
Reverse Depends:
Depends: mysql-testsuite-5.7 (= 5.7.36-0ubuntu0.18.04.1)
Depends: mysql-server
Replaces: percona-xtradb-cluster-server-5.7
Breaks: percona-xtradb-cluster-server-5.7
Depends: mysql-testsuite-5.7 (= 5.7.21-1ubuntu1)
Conflicts: mariadb-server-core-10.1
Replaces: mariadb-server-10.1
Breaks: mariadb-server-10.1
Depends: mysql-server
|Depends: mythtv-backend-master
|Depends: mythtv
Replaces: percona-xtradb-cluster-server-5.7
Breaks: percona-xtradb-cluster-server-5.7
Depends: mysql-server
Conflicts: mariadb-server-core-10.1
Replaces: mariadb-server-10.1
Breaks: mariadb-server-10.1
Depends: default-mysql-server那里什么都没有。因此,让我们对依赖项的log4j做同样的操作:
root@servername:~# apt depends *log4j*
liblog4j1.2-java
Suggests: liblog4j1.2-java-doc
Suggests: libmail-java
liblog4j2-java
Depends: liblightcouch-java
Depends: libmongodb-java
Suggests: liblog4j2-java-doc
Suggests: libcommons-compress-java
Suggests: libcommons-csv-java (>= 1.5)
Suggests: libconversant-disruptor-java (>= 1.2.11)
Suggests: libdisruptor-java (>= 3.3.7)
Suggests: libgeronimo-jms-1.1-spec-java
Suggests: libjackson2-core-java (>= 2.9.4)
Suggests: libjackson2-databind-java
Suggests: libjackson2-dataformat-xml-java
Suggests: libjackson2-dataformat-yaml (>= 2.8.10)
Suggests: libjansi-java (>= 1.16)
Suggests: libjcommander-java
Suggests: libjctools-java
Suggests: libjeromq-java
Suggests: libjpa-2.1-spec-java (>= 2.1.0)
Suggests: libmail-java (>= 1.6.1)
Suggests: libwoodstox-java (>= 4.1.3)
liblog4j1.2-java-doc
Depends: default-jdk-doc
liblog4j-extras1.2-java
Depends: libapache-pom-java (>= 18)
Depends: liblog4j1.2-java (>= 1.2.17)
Suggests: libgeronimo-jms-1.1-spec-java
Suggests: liblog4j-extras1.2-java-doc
liblog4j-extras1.2-java-doc
Recommends: default-jdk-doc
Recommends: liblog4j1.2-java-doc
Suggests: liblog4j-extras1.2-java
liblog4j2-java-doc
Depends: default-jdk-doc
Suggests: liblog4j2-java
node-log4js
Depends: nodejs (>= 0.10.0)
Depends: node-async (>= 0.1.15)看起来不错。相反的情况取决于rdepends看起来也不错:
root@servername:~# apt rdepends *log4j*
liblog4j1.2-java
Reverse Depends:
Depends: libzookeeper-java (>> 1.2.15-8)
Depends: mobile-atlas-creator
Recommends: libuima-core-java
Depends: libthrift-java
Suggests: libspring-core-java
Depends: libresteasy3.0-java
Suggests: libquartz-java (>= 1.2.17)
Depends: libopenjpa-java
Suggests: libnetty-java (>= 1.2.17)
Suggests: libnetty-3.9-java (>= 1.2.17)
Recommends: liblucene3-contrib-java
Depends: libjaxe-java
Suggests: libc3p0-java
Depends: libapacheds-java
Depends: libapache-poi-java
Depends: jftp
Suggests: ant-optional
Depends: activemq
Depends: jajuk
Depends: igv
Depends: umlet
Depends: pegasus-wms
Depends: natbraille
Depends: mobile-atlas-creator
Depends: logol
Depends: libdoxia-java (>= 1.2.17)
Suggests: libxbean-reflect-java
Suggests: libxbean-java (>= 1.2.17)
Depends: libvamsas-client-java
Recommends: libuima-core-java
Depends: libuima-as-java (>= 1.2.17)
Depends: libuima-addons-java (>= 1.2.17)
Depends: libthrift-java
Suggests: libspring-core-java
Suggests: libslf4j-java
Suggests: libquartz-java (>= 1.2.17)
Depends: libowasp-esapi-java (>= 1.2.17)
Depends: libopsin-java
Depends: libopenjpa-java
Suggests: libopenid4java-java
Suggests: libnetty-java (>= 1.2.17)
Suggests: libnetty-3.9-java (>= 1.2.17)
Depends: libmpj-java
Depends: libmime-util-java (>= 1.2.17)
Depends: libmavibot-java (>= 1.2.17)
Recommends: liblucene3-contrib-java
Depends: liblttng-ust-agent-java
Depends: liblog4j-extras1.2-java (>= 1.2.17)
Suggests: libjgroups-java
Depends: libjglobus-ssl-proxies-java
Recommends: libjenkins-json-java (>= 1.2.17)
Depends: libjaxe-java
Depends: libjas-java
Depends: libjaba-client-java
Depends: libgradle-android-plugin-java
Depends: libgmetrics-groovy-java
Depends: libexcalibur-logkit-java
Depends: libexcalibur-logger-java
Depends: eclipse-wtp-ws (>= 1.2.17-7ubuntu1)
Suggests: libcommons-logging-java
Depends: libcodenarc-groovy-java
Depends: libcdk-java
Suggests: libc3p0-java
Depends: libapache-poi-java
Depends: jftp
Depends: jets3t
Depends: jalview
Depends: iamcli
Depends: eclipse-wtp-xsl (>= 1.2.17-7ubuntu1)
Depends: activemq
Depends: davmail
Depends: artemis
Suggests: ant-optional
liblog4j2-java
Reverse Depends:
Suggests: libnetty-java (>= 2.10.0)
|Depends: jabref (>= 2.10.0-2)
Depends: jabref (<< 2.10)
|Depends: jabref (>= 2.10.0-2)
Suggests: libnetty-java (>= 2.8.2)
Suggests: liblog4j2-java-doc
Depends: libbiojava4.0-java
Depends: jabref (<< 2.10)
liblog4j1.2-java-doc
Reverse Depends:
Depends: libdoxia-java-doc
Suggests: liblog4j1.2-java
Depends: libowasp-esapi-java-doc
Suggests: liblog4j1.2-java
Recommends: liblog4j-extras1.2-java-doc
Recommends: libjenkins-json-java-doc
Recommends: libfreemarker-java-doc
liblog4j-extras1.2-java
Reverse Depends:
Suggests: liblog4j-extras1.2-java-doc
liblog4j-extras1.2-java-doc
Reverse Depends:
Suggests: liblog4j-extras1.2-java
liblog4j2-java-doc
Reverse Depends:
Suggests: liblog4j2-java
node-log4js
Reverse Depends:即使我互相比较输出的结果,我也找不到重叠的依赖关系。
将输出限制为给定服务器上的--installed包将进一步将输出减少到一个页面:
root@servername:~# apt depends *log4j* --installed
liblog4j1.2-java
liblog4j2-java
liblog4j1.2-java-doc
liblog4j-extras1.2-java
liblog4j-extras1.2-java-doc
liblog4j2-java-doc
node-log4js
root@servername:~# apt rdepends *log4j* --installed
liblog4j1.2-java
Reverse Depends:
liblog4j2-java
Reverse Depends:
liblog4j1.2-java-doc
Reverse Depends:
liblog4j-extras1.2-java
Reverse Depends:
liblog4j-extras1.2-java-doc
Reverse Depends:
liblog4j2-java-doc
Reverse Depends:
node-log4js
Reverse Depends:
root@servername:~# apt rdepends *mysql-server-5.7* --installed
mysql-server-5.7
Reverse Depends:
Depends: mysql-server
Depends: mysql-server
Depends: mysql-server
root@servername:~# apt depends *mysql-server-5.7* --installed
mysql-server-5.7
PreDepends: adduser (>= 3.40)
PreDepends: debconf
PreDepends: mysql-common (>= 5.5)
Depends: bsdutils
bsdutils:i386
Depends: lsb-base (>= 3.0-10)
Depends: mysql-client-5.7 (>= 5.7.36-0ubuntu0.18.04.1)
Depends: mysql-common (>= 5.8+1.0.4~)
Depends: mysql-server-core-5.7 (= 5.7.36-0ubuntu0.18.04.1)
Depends: passwd
passwd:i386
Depends: perl (>= 5.6)
Depends: psmisc
psmisc:i386
|Depends: debconf (>= 0.5)
cdebconf
debconf
Depends: libc6 (>= 2.14)
Depends: libevent-core-2.1-6 (>= 2.1.8-stable)
Depends: libgcc1 (>= 1:3.0)
Depends: liblz4-1 (>= 0.0~r127)
Depends: libssl1.1 (>= 1.1.1)
Depends: libstdc++6 (>= 5.2)
Depends: zlib1g (>= 1:1.1.4)
percona-xtradb-cluster-server-5.7
mariadb-server-10.1
Recommends: libhtml-template-perl
bsd-mailx
mailutils
percona-xtradb-cluster-server-5.7
mariadb-server-10.1
mysql-server-5.7你的里程/结果可能会有所不同。我们在标准Ubuntu上使用MySQL,没有像Gnome之类的GUI。因此,我们只有CLI来操作MySQL实例。
Database Administration用户
发布于 2021-12-13 20:10:11
MySQL服务器是用C++编写的,而不是C++,所以它不使用Log4j。MySQL工作台也是如此。
实际上,请参见https://github.com/orgs/mysql/repositories?type=all中的MySQL Connector/J是用MySQL编写的唯一MySQL产品。
但根据版本5.1.15的发行说明 (2011-02-09年),它不包括Log4j。它很久以前就被删除了,以满足许可条件。
您可能自己集成了Log4j,因为发布说明提到当前的日志实现可能被插入到Log4j中。但你必须知道你是否做过。
页面原文内容由Database Administration提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://dba.stackexchange.com/questions/303863
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号