关于 Log4j2 的王炸，各位对不能升级版本的中间件都有什么修复的方法？

不对外网开放+改环境变量。

能够单独引入指定版本 log4j2 的项目单独引入修复的版本。

找特定版本 JDK trustURLCodebase 为 false 的。

魔法打败魔法
https://github.com/Cybereason/Logout4Shell

临时解决，设定参数：formatMsgNoLookups=true

Temporary Mitigation​
As per this discussion on HackerNews:

The 'formatMsgNoLookups' property was added in version 2.10.0, per the JIRA Issue LOG4J2-2109 [1] that proposed it. Therefore the 'formatMsgNoLookups=true' mitigation strategy is available in version 2.10.0 and higher, but is no longer necessary with version 2.15.0, because it then becomes the default behavior [2][3].

If you are using a version older than 2.10.0 and cannot upgrade, your mitigation choices are:

Modify every logging pattern layout to say %m{nolookups} instead of %m in your logging config files, see details at https://issues.apache.org/jira/browse/LOG4J2-2109 (only works on versions >= 2.7) or,

Substitute a non-vulnerable or empty implementation of the class org.apache.logging.log4j.core.lookup.JndiLookup, in a way that your classloader uses your replacement instead of the vulnerable version of the class. Refer to your application's or stack's classloading documentation to understand this behavior.

参考
https://www.lunasec.io/docs/blog/log4j-zero-day/

补充一个
For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

https://logging.apache.org/log4j/2.x/

如果业务运行在内网，需要很注意这个问题吗？我个人感觉是没必要啊，没有入口可以注入 LOG 吧？

@Depth 有意思

我提供一个思路，不知道对不对，用 nginx 来拦截输入，匹配关键字

https://github.com/Glavo/log4j-patch
推荐 glavo 大佬的 patch