(以下为Java语言示例)
升级Log4j版本到官方修复版本(推荐)
<!-- pom.xml中引入以下依赖 --> <dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-core</artifactId> <version>2.17.0</version> </dependency>
修改Log4j2配置文件,避免触发漏洞 (不推荐)
// Java代码中修改配置示例 ConfigurationBuilder<BuiltConfiguration> builder = ConfigurationBuilderFactory.newConfigurationBuilder(); builder.setStatusLevel(Level.ERROR); builder.setConfigurationName("DefaultLogger");
// 添加Appender builder.add(builder.newAppender("Stdout", "CONSOLE").addAttribute("target", ConsoleAppender.Target.SYSTEM_OUT)) .add(builder.newAppender("LogFile", "FILE").addAttribute("fileName", "app.log") .addAttribute("append", true).addAttribute("locking", false) .add(builder.newLayout("PatternLayout") .addAttribute("pattern", "[%t] %-5level %logger{36} - %msg%n")));
// 添加将Log4j2自身日志输出到Console的Logger builder.add(builder.newLogger(LogManager.ROOT_LOGGER_NAME, Level.DEBUG).add(builder.newAppenderRef("Stdout")) .addAttribute("additivity", false));
// 修改cometd.war的Logger builder.add(builder.newLogger("org.cometd.server.transport.http", Level.ERROR) .add(builder.newAppenderRef("LogFile")).addAttribute("additivity", false));
Configurator.initialize(builder.build());