Skip to content
This repository has been archived by the owner on Aug 2, 2023. It is now read-only.

Commit

Permalink
Merge pull request #643 from book000/feat/issue-640-CVE_2021_44228
Browse files Browse the repository at this point in the history 
 feat: CVE-2021-44228の対策確認処理追加
  • Loading branch information
@book000
book000 authored Jan 18, 2022
2 parents f69589f + de81ddb commit 5d39292
Show file tree
Hide file tree
Showing 5 changed files with 170 additions and 3 deletions.
35 changes: 35 additions & 0 deletions src/main/java/com/jaoafa/mymaid4/event/Event_CVE_2021_44228.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
/*
* jaoLicense
*
* Copyright (c) 2022 jao Minecraft Server
*
* The following license applies to this project: jaoLicense
*
* Japanese: https://github.com/jaoafa/jao-Minecraft-Server/blob/master/jaoLICENSE.md
* English: https://github.com/jaoafa/jao-Minecraft-Server/blob/master/jaoLICENSE-en.md
*/

package com.jaoafa.mymaid4.event;

import com.jaoafa.mymaid4.Main;
import com.jaoafa.mymaid4.lib.EventPremise;
import com.jaoafa.mymaid4.tasks.Task_CVE_2021_44228;
import org.bukkit.event.EventHandler;
import org.bukkit.event.Listener;
import org.bukkit.event.player.PlayerJoinEvent;

public class Event_CVE_2021_44228 implements Listener, EventPremise {
@Override
public String description() {
return "ログイン時にクライアントがJavaライブラリ「log4j 2」にあった脆弱性 CVE-2021-44228 に対策されているかを確認します。";
}

@EventHandler
public void OnJoin(PlayerJoinEvent event) {
if (Main.getMyMaidConfig().isDevelopmentServer()) {
Main.getMyMaidLogger().warning("開発サーバのため、CVE-2021-44228チェックは動作しません。");
return;
}
new Task_CVE_2021_44228(event.getPlayer()).runTaskAsynchronously(Main.getMain());
}
}
5 changes: 4 additions & 1 deletion src/main/java/com/jaoafa/mymaid4/event/Event_LongTimeNoSee.java
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/*
* jaoLicense
*
* Copyright (c) 2021 jao Minecraft Server
* Copyright (c) 2022 jao Minecraft Server
*
* The following license applies to this project: jaoLicense
*
Expand Down Expand Up @@ -36,6 +36,9 @@ public String description() {

@EventHandler
public void OnJoin(PlayerJoinEvent event) {
if (!MyMaidData.isMainDBActive()) {
return;
}
Player player = event.getPlayer();
String uuid = player.getUniqueId().toString();

Expand Down
5 changes: 4 additions & 1 deletion src/main/java/com/jaoafa/mymaid4/event/Event_OnlineTimeDB.java
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/*
* jaoLicense
*
* Copyright (c) 2021 jao Minecraft Server
* Copyright (c) 2022 jao Minecraft Server
*
* The following license applies to this project: jaoLicense
*
Expand Down Expand Up @@ -50,6 +50,9 @@ public void OnEvent_LoginDBInsert(PlayerJoinEvent event) {
@EventHandler(priority = EventPriority.MONITOR,
ignoreCancelled = true)
public void OnEvent_QuitDBInsert(PlayerQuitEvent event) {
if (!MyMaidData.isMainDBActive()) {
return;
}
Player player = event.getPlayer();
int onlineTime = player.getStatistic(Statistic.PLAY_ONE_MINUTE) / 20;
if (!exists(player)) {
Expand Down
5 changes: 4 additions & 1 deletion src/main/java/com/jaoafa/mymaid4/event/Event_ServerException.java
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/*
* jaoLicense
*
* Copyright (c) 2021 jao Minecraft Server
* Copyright (c) 2022 jao Minecraft Server
*
* The following license applies to this project: jaoLicense
*
Expand All @@ -28,6 +28,9 @@ public String description() {
@EventHandler
public void onServerException(ServerExceptionEvent event) {
ServerException exception = event.getException();
if (Main.getRollbar() == null) {
return;
}
Main.getRollbar().critical(exception, "onServerExceptionEvent");
}
}
123 changes: 123 additions & 0 deletions src/main/java/com/jaoafa/mymaid4/tasks/Task_CVE_2021_44228.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
/*
* jaoLicense
*
* Copyright (c) 2022 jao Minecraft Server
*
* The following license applies to this project: jaoLicense
*
* Japanese: https://github.com/jaoafa/jao-Minecraft-Server/blob/master/jaoLICENSE.md
* English: https://github.com/jaoafa/jao-Minecraft-Server/blob/master/jaoLICENSE-en.md
*/

package com.jaoafa.mymaid4.tasks;

import com.jaoafa.mymaid4.Main;
import net.kyori.adventure.text.Component;
import net.kyori.adventure.text.JoinConfiguration;
import net.kyori.adventure.text.event.HoverEvent;
import net.kyori.adventure.text.format.NamedTextColor;
import net.kyori.adventure.text.format.TextDecoration;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import okhttp3.ResponseBody;
import org.bukkit.Bukkit;
import org.bukkit.entity.Player;
import org.bukkit.scheduler.BukkitRunnable;
import org.json.JSONObject;

import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.util.concurrent.TimeUnit;

public class Task_CVE_2021_44228 extends BukkitRunnable {
Player player;

public Task_CVE_2021_44228(Player player) {
this.player = player;
}

@Override
public void run() {
if (!player.isOnline()) {
return;
}
InetSocketAddress isa = player.getAddress();
if (isa == null) {
return;
}
int beforeFoundCount = getFoundCount(isa.getAddress());
Main.getMyMaidLogger().info(player.getName() + " beforeFoundCount: " + beforeFoundCount);
player.sendMessage(Component.join(
JoinConfiguration.noSeparators(),
Component.text("[脆弱性テスト] "),
Component.text("${jndi:ldap://zakuro.jaoafa.com:39602}", NamedTextColor.DARK_GRAY, TextDecoration.ITALIC),
Component.text(" (これは何?)", NamedTextColor.DARK_GRAY, TextDecoration.UNDERLINED)
.hoverEvent(HoverEvent.showText(
Component.text("Javaライブラリ「log4j 2」にあった脆弱性 CVE-2021-44228 に対策されているかを確認するものです。")
))
));
int afterFoundCount = getFoundCount(isa.getAddress());
Main.getMyMaidLogger().info(player.getName() + " afterFoundCount: " + afterFoundCount);

if (afterFoundCount == 0 || afterFoundCount - beforeFoundCount == 0) {
player.sendMessage(Component.join(
JoinConfiguration.noSeparators(),
Component.text("[脆弱性テスト] "),
Component.text("ご協力いただきありがとうございます。あなたのクライアントは脆弱性対策がされているようです。", NamedTextColor.GREEN),
Component.text(" (これは何?)", NamedTextColor.DARK_GRAY, TextDecoration.UNDERLINED)
.hoverEvent(HoverEvent.showText(
Component.text("Javaライブラリ「log4j 2」にあった脆弱性 CVE-2021-44228 に対策されているかを確認するものです。")
))
));
} else {
Bukkit.getScheduler().runTask(Main.getJavaPlugin(), () -> player.kick(Component.join(
JoinConfiguration.noSeparators(),
Component.text("[Login Denied! - Reason: CVE-2021-44228]", NamedTextColor.RED),
Component.newline(),
Component.newline(),
Component.text("あなたのクライアントはJavaライブラリ「log4j 2」にあった"),
Component.newline(),
Component.text("脆弱性 CVE-2021-44228 の対策が"),
Component.text("されていない", NamedTextColor.RED, TextDecoration.UNDERLINED),
Component.text("ようです。"),
Component.newline(),
Component.newline(),
Component.text("脆弱性が悪用されることを防ぐため、jao Minecraft Serverでは"),
Component.newline(),
Component.text("本脆弱性への対策がなされていないクライアントからのログインを制限しております。"),
Component.newline(),
Component.newline(),
Component.text("悪意を持ったユーザーがあなたのクライアントを通して不正なコードを実行する"),
Component.newline(),
Component.text("可能性があるため、Forge等のクライアント・Modのアップデートを実施してください。")
)));
}
}

int getFoundCount(InetAddress ia) {
try {
String url = "http://127.0.0.1:39602/api/cve-2021-44228.php?ip=" + ia.getHostAddress();
OkHttpClient client = new OkHttpClient().newBuilder()
.connectTimeout(10, TimeUnit.SECONDS)
.readTimeout(10, TimeUnit.SECONDS)
.build();
Request request = new Request.Builder().url(url).build();

Response response = client.newCall(request).execute();
ResponseBody body = response.body();
if (body == null) {
return -1;
}
JSONObject object = new JSONObject(body.string());
if (!object.has("count")) {
return 0;
}
return object.getInt("count");
} catch (IOException e) {
e.printStackTrace();
return -1;
}
}
}

0 comments on commit 5d39292

Please sign in to comment.