我对我的一些 MySQL 主机中的 Log4j 漏洞 (CVE-2021-44228) 有疑问。尽管我看到 MySQL 没有安装它,但我想确认 MySQL 是否使用这个包来实现它的任何功能。
有没有办法找出 RHEL 中使用特定 rpm 包的应用程序列表?
如果不存在与 MySQL 的依赖关系,我可以与应用程序团队联系以进行修复。
谢谢
Joh*_* N. 12
你的朋友可能是apt depends <package-name>和apt rdepends <package-name>。
运行apt depends mysql-server将开始从 MySQL 进行汇总:
root@servername:~# apt depends mysql-server
mysql-server
Depends: mysql-server-5.7
对产品运行相同的操作mysql-server-5.7:
root@servername:~# apt depends mysql-server-5.7
mysql-server-5.7
PreDepends: adduser (>= 3.40)
PreDepends: debconf
PreDepends: mysql-common (>= 5.5)
Depends: bsdutils
bsdutils:i386
Depends: lsb-base (>= 3.0-10)
Depends: mysql-client-5.7 (>= 5.7.36-0ubuntu0.18.04.1)
Depends: mysql-common (>= 5.8+1.0.4~)
Depends: mysql-server-core-5.7 (= 5.7.36-0ubuntu0.18.04.1)
Depends: passwd
passwd:i386
Depends: perl (>= 5.6)
Depends: psmisc
psmisc:i386
|Depends: debconf (>= 0.5)
Depends: <debconf-2.0>
cdebconf
debconf
Depends: libc6 (>= 2.14)
Depends: libevent-core-2.1-6 (>= 2.1.8-stable)
Depends: libgcc1 (>= 1:3.0)
Depends: liblz4-1 (>= 0.0~r127)
Depends: libssl1.1 (>= 1.1.1)
Depends: libstdc++6 (>= 5.2)
Depends: zlib1g (>= 1:1.1.4)
Conflicts: <mysql-client-5.5>
Conflicts: <mysql-server-5.5>
Conflicts: <virtual-mysql-server>
percona-xtradb-cluster-server-5.7
mariadb-server-10.1
Breaks: <mysql-server-5.6> (<< 5.7)
Recommends: libhtml-template-perl
Suggests: <mailx>
bsd-mailx
mailutils
Suggests: tinyca
Replaces: <mysql-client-5.5>
Replaces: <mysql-server-5.5>
Replaces: <mysql-server-5.6> (<< 5.7)
Replaces: <virtual-mysql-server>
percona-xtradb-cluster-server-5.7
mariadb-server-10.1
mysql-server-5.7
因此乍一看没有任何迹象表明其中log4j涉及。
让我们尝试使用以下语法进行反向查找apt rdepends <package-name>:
root@servername:~# apt rdepends mysql-server-5.7
mysql-server-5.7
Reverse Depends:
Depends: mysql-testsuite-5.7 (= 5.7.36-0ubuntu0.18.04.1)
Depends: mysql-server
Replaces: percona-xtradb-cluster-server-5.7
Breaks: percona-xtradb-cluster-server-5.7
Depends: mysql-testsuite-5.7 (= 5.7.21-1ubuntu1)
Conflicts: mariadb-server-core-10.1
Replaces: mariadb-server-10.1
Breaks: mariadb-server-10.1
Depends: mysql-server
|Depends: mythtv-backend-master
|Depends: mythtv
Replaces: percona-xtradb-cluster-server-5.7
Breaks: percona-xtradb-cluster-server-5.7
Depends: mysql-server
Conflicts: mariadb-server-core-10.1
Replaces: mariadb-server-10.1
Breaks: mariadb-server-10.1
Depends: default-mysql-server
空空如也。因此,让我们log4j对 dependent 执行同样的操作:
root@servername:~# apt depends *log4j*
liblog4j1.2-java
Suggests: liblog4j1.2-java-doc
Suggests: libmail-java
liblog4j2-java
Depends: liblightcouch-java
Depends: libmongodb-java
Suggests: liblog4j2-java-doc
Suggests: libcommons-compress-java
Suggests: libcommons-csv-java (>= 1.5)
Suggests: libconversant-disruptor-java (>= 1.2.11)
Suggests: libdisruptor-java (>= 3.3.7)
Suggests: libgeronimo-jms-1.1-spec-java
Suggests: libjackson2-core-java (>= 2.9.4)
Suggests: libjackson2-databind-java
Suggests: libjackson2-dataformat-xml-java
Suggests: libjackson2-dataformat-yaml (>= 2.8.10)
Suggests: libjansi-java (>= 1.16)
Suggests: libjcommander-java
Suggests: libjctools-java
Suggests: libjeromq-java
Suggests: libjpa-2.1-spec-java (>= 2.1.0)
Suggests: libmail-java (>= 1.6.1)
Suggests: libwoodstox-java (>= 4.1.3)
liblog4j1.2-java-doc
Depends: default-jdk-doc
liblog4j-extras1.2-java
Depends: libapache-pom-java (>= 18)
Depends: liblog4j1.2-java (>= 1.2.17)
Suggests: libgeronimo-jms-1.1-spec-java
Suggests: liblog4j-extras1.2-java-doc
liblog4j-extras1.2-java-doc
Recommends: default-jdk-doc
Recommends: liblog4j1.2-java-doc
Suggests: liblog4j-extras1.2-java
liblog4j2-java-doc
Depends: default-jdk-doc
Suggests: liblog4j2-java
node-log4js
Depends: nodejs (>= 0.10.0)
Depends: node-async (>= 0.1.15)
看起来不错。反过来也取决于rdepends看起来是否不错:
root@servername:~# apt rdepends *log4j*
liblog4j1.2-java
Reverse Depends:
Depends: libzookeeper-java (>> 1.2.15-8)
Depends: mobile-atlas-creator
Recommends: libuima-core-java
Depends: libthrift-java
Suggests: libspring-core-java
Depends: libresteasy3.0-java
Suggests: libquartz-java (>= 1.2.17)
Depends: libopenjpa-java
Suggests: libnetty-java (>= 1.2.17)
Suggests: libnetty-3.9-java (>= 1.2.17)
Recommends: liblucene3-contrib-java
Depends: libjaxe-java
Suggests: libc3p0-java
Depends: libapacheds-java
Depends: libapache-poi-java
Depends: jftp
Suggests: ant-optional
Depends: activemq
Depends: jajuk
Depends: igv
Depends: umlet
Depends: pegasus-wms
Depends: natbraille
Depends: mobile-atlas-creator
Depends: logol
Depends: libdoxia-java (>= 1.2.17)
Suggests: libxbean-reflect-java
Suggests: libxbean-java (>= 1.2.17)
Depends: libvamsas-client-java
Recommends: libuima-core-java
Depends: libuima-as-java (>= 1.2.17)
Depends: libuima-addons-java (>= 1.2.17)
Depends: libthrift-java
Suggests: libspring-core-java
Suggests: libslf4j-java
Suggests: libquartz-java (>= 1.2.17)
Depends: libowasp-esapi-java (>= 1.2.17)
Depends: libopsin-java
Depends: libopenjpa-java
Suggests: libopenid4java-java
Suggests: libnetty-java (>= 1.2.17)
Suggests: libnetty-3.9-java (>= 1.2.17)
Depends: libmpj-java
Depends: libmime-util-java (>= 1.2.17)
Depends: libmavibot-java (>= 1.2.17)
Recommends: liblucene3-contrib-java
Depends: liblttng-ust-agent-java
Depends: liblog4j-extras1.2-java (>= 1.2.17)
Suggests: libjgroups-java
Depends: libjglobus-ssl-proxies-java
Recommends: libjenkins-json-java (>= 1.2.17)
Depends: libjaxe-java
Depends: libjas-java
Depends: libjaba-client-java
Depends: libgradle-android-plugin-java
Depends: libgmetrics-groovy-java
Depends: libexcalibur-logkit-java
Depends: libexcalibur-logger-java
Depends: eclipse-wtp-ws (>= 1.2.17-7ubuntu1)
Suggests: libcommons-logging-java
Depends: libcodenarc-groovy-java
Depends: libcdk-java
Suggests: libc3p0-java
Depends: libapache-poi-java
Depends: jftp
Depends: jets3t
Depends: jalview
Depends: iamcli
Depends: eclipse-wtp-xsl (>= 1.2.17-7ubuntu1)
Depends: activemq
Depends: davmail
Depends: artemis
Suggests: ant-optional
liblog4j2-java
Reverse Depends:
Suggests: libnetty-java (>= 2.10.0)
|Depends: jabref (>= 2.10.0-2)
Depends: jabref (<< 2.10)
|Depends: jabref (>= 2.10.0-2)
Suggests: libnetty-java (>= 2.8.2)
Suggests: liblog4j2-java-doc
Depends: libbiojava4.0-java
Depends: jabref (<< 2.10)
liblog4j1.2-java-doc
Reverse Depends:
Depends: libdoxia-java-doc
Suggests: liblog4j1.2-java
Depends: libowasp-esapi-java-doc
Suggests: liblog4j1.2-java
Recommends: liblog4j-extras1.2-java-doc
Recommends: libjenkins-json-java-doc
Recommends: libfreemarker-java-doc
liblog4j-extras1.2-java
Reverse Depends:
Suggests: liblog4j-extras1.2-java-doc
liblog4j-extras1.2-java-doc
Reverse Depends:
Suggests: liblog4j-extras1.2-java
liblog4j2-java-doc
Reverse Depends:
Suggests: liblog4j2-java
node-log4js
Reverse Depends:
即使我将输出结果相互比较,我也找不到重叠的依赖关系。
将输出限制为--installed给定服务器上的包将进一步将输出减少到一页:
root@servername:~# apt depends *log4j* --installed
liblog4j1.2-java
liblog4j2-java
liblog4j1.2-java-doc
liblog4j-extras1.2-java
liblog4j-extras1.2-java-doc
liblog4j2-java-doc
node-log4js
root@servername:~# apt rdepends *log4j* --installed
liblog4j1.2-java
Reverse Depends:
liblog4j2-java
Reverse Depends:
liblog4j1.2-java-doc
Reverse Depends:
liblog4j-extras1.2-java
Reverse Depends:
liblog4j-extras1.2-java-doc
Reverse Depends:
liblog4j2-java-doc
Reverse Depends:
node-log4js
Reverse Depends:
root@servername:~# apt rdepends *mysql-server-5.7* --installed
mysql-server-5.7
Reverse Depends:
Depends: mysql-server
Depends: mysql-server
Depends: mysql-server
root@servername:~# apt depends *mysql-server-5.7* --installed
mysql-server-5.7
PreDepends: adduser (>= 3.40)
PreDepends: debconf
PreDepends: mysql-common (>= 5.5)
Depends: bsdutils
bsdutils:i386
Depends: lsb-base (>= 3.0-10)
Depends: mysql-client-5.7 (>= 5.7.36-0ubuntu0.18.04.1)
Depends: mysql-common (>= 5.8+1.0.4~)
Depends: mysql-server-core-5.7 (= 5.7.36-0ubuntu0.18.04.1)
Depends: passwd
passwd:i386
Depends: perl (>= 5.6)
Depends: psmisc
psmisc:i386
|Depends: debconf (>= 0.5)
cdebconf
debconf
Depends: libc6 (>= 2.14)
Depends: libevent-core-2.1-6 (>= 2.1.8-stable)
Depends: libgcc1 (>= 1:3.0)
Depends: liblz4-1 (>= 0.0~r127)
Depends: libssl1.1 (>= 1.1.1)
Depends: libstdc++6 (>= 5.2)
Depends: zlib1g (>= 1:1.1.4)
percona-xtradb-cluster-server-5.7
mariadb-server-10.1
Recommends: libhtml-template-perl
bsd-mailx
mailutils
percona-xtradb-cluster-server-5.7
mariadb-server-10.1
mysql-server-5.7
您的里程/结果可能会有所不同。我们在标准 Ubuntu 上使用 MySQL,没有像 Gnome 之类的 GUI。所以我们只有 CLI 来操作 MySQL 实例。
MySQL Server 是用 C++ 编写的,而不是 Java,因此它不使用 Log4j。MySQL Workbench 也是如此。
事实上,在https://github.com/orgs/mysql/repositories?type=all中可以看到 MySQL Connector/J 是唯一用 Java 编写的 MySQL 产品。
但根据版本5.1.15(2011-02-09)的发行说明,它不包含Log4j。为了满足许可条件,它很久以前就被删除了。
您可能自己集成了 Log4j,因为发行说明提到当前的日志实现可能会插入 Log4j。但你必须知道你是否这样做了。