Vakaona kusazvibata muChitubu Framework

Munguva pfupi yapfuura nhau dzakabvarura izvo kusagadzikana kwakanyanya kwerudzi rwezuva rezero kwakaonekwa mune module Spring Core inotumirwa sechikamu cheSpring Framework, iyo inobvumira ari kure, asina kutenderwa anorwisa kuti aite kodhi yavo pane server.

Nekumwe fungidziro, iyo Spring Core module inoshandiswa mu74% yeJava application. Ngozi yekusagadzikana inoderedzwa nekuti chete maapplication ayo shandisa "@RequestMapping" chirevo kuNekubatanidza vanobata zvekukumbira uye kushandisa webhu fomu parameter inosunga mu "zita = kukosha" (POJO, Plain Old Java Object) fomati, pane JSON/XML, vanogona kurwisa. Izvo hazvisati zvajeka kuti ndeapi maapplication eJava uye masisitimu ari kukanganiswa nenyaya.

Kusagadzikana uku, kunonzi "Spring4Shell", kunotora mukana wejekiseni rekirasi rinotungamira kuRCE yakazara uye yakakomba. Iro zita rekuti "Spring4Shell" rakasarudzwa nekuti Spring Core iraibhurari inowanikwa kwose kwose, yakafanana nelog4j iyo yakakonzera kusagadzikana kweLog4Shell.

Isu tinotenda kuti vashandisi vari kushandisa JDK vhezheni 9 uye gare gare vari panjodzi yekurwiswa kweRCE. Ese mavhezheni eSpring Core anokanganisa.

Pane nzira dzekudzikisa kurwiswa uye isu tinotenda kuti haasi ese maSpring maseva ari panjodzi, zvichienderana nezvimwe zvinhu zvinokurukurwa pazasi. Zvakadaro, isu parizvino tinokurudzira kuti vashandisi vese vashandise mitigations kana kusimudzira kana vari kushandisa Spring Core.

Kushandiswa kwekusagadzikana kunogoneka chete kana uchishandisa Java/JDK 9 kana kuti shanduro itsva. Kusagadzikana uku kunovharisa kunyorwa kwenzvimbo "class", "module", uye "classLoader" kana kushandiswa kwemavara akajeka enzvimbo dzinotenderwa.

Dambudziko imhaka yekukwanisa kunzvenga dziviriro kubva panjodzi yeCVE-2010-1622, Yakagadziriswa muChitubu Framework muna 2010 uye yakabatana nekuitwa kwekirasiLoader mubati kana uchiparura maparamendi ekukumbira.

Kushanda kwekushandiswa kunoderedzwa kusvika pakutumira chikumbiro cine parameters "class.module.classLoader.resources.context.parent.pipeline.first.*", iyo yekugadzirisa iyo, kana uchishandisa "WebappClassLoaderBase", inotungamira kune kudanwa kukirasi yeAccessLogValve.

Kirasi yakatsanangurwa inobvumidza iwe kuti ugadzirise logger kuti ugadzire inopokana jsp faira mumudziyo weApache Tomcat uye nyora kodhi yakatsanangurwa neanorwisa iyi faira. Iyo faira yakagadzirwa inowanikwa kune zvakananga zvikumbiro uye inogona kushandiswa sewebhu shell. Kurwisa application isina njodzi munzvimbo yeApache Tomcat, zvakakwana kutumira chikumbiro nemamwe ma paramita uchishandisa curl utility.

Dambudziko riri kutariswa muSpring Core kwete kuvhiringika nekusagadzikana kuchangobva kuzivikanwa CVE-2022-22963 uye CVE-2022-22950. Nyaya yekutanga inobata Spring Cloud package uye zvakare inobvumira kure kure kodhi kuuraya (exploit) kuti iwanikwe. CVE-2022-22963 inogadziriswa muChitubu Cloud 3.1.7 uye 3.2.3 kuburitswa.

Nyaya yechipiri CVE-2022-22950 iripo muSpring Expression, inogona kushandiswa kutangisa kurwisa kweDoS, uye inogadziriswa muChitubu Framework 5.3.17. Aya ndiwo matambudziko akasiyana. Vagadziri veSpring Framework havasati vaita chero chirevo pamusoro pekusagadzikana kutsva uye havasati vaburitsa kugadzirisa.

Sechiyero chekudzivirira chechinguvana, zvinokurudzirwa kuti ushandise runyoro rwezvisizvo zvemubvunzo paramita mukodhi yako.

Zvakadaro hazvina kujeka kuti migumisiro yacho inogona kuva yakaipa sei yenyaya yakaonekwa uye kana kurwiswa kuchave kwakakura senge nyaya yekusagadzikana muLog4j 2. Kusagadzikana kwacho kwakanyorwa codenamed Spring4Shell, CVE-2022-22965, uye inogadziridza Spring Framework 5.3.18 uye 5.2.20 yakaburitswa yakaburitswa kugadzirisa kusagadzikana.

Chigamba chave kuwanikwa kubva munaKurume 31, 2022 mune ichangoburwa yeChirimo shanduro 5.3.18 uye 5.2.20. Isu tinokurudzira vashandisi vese kuti vavandudze. Kune avo vasingakwanise kukwidziridza, zvinotevera mitigations zvinogoneka:

Zvichienderana nePositori yeMuzinda waMambo inosimbisa kuvepo kweRCE muChitubu Core, nzira inokurudzirwa parizvino ndeyekubatidza DataBinder nekuwedzera runyoro rwematanho epanjodzi anodiwa kushandiswa.

Pakupedzisira hongu iwe unofarira kukwanisa kuziva zvakawanda nezvazvo nezve katsamba, unogona kutarisa ruzivo Mune inotevera chinongedzo.


Iva wekutanga kutaura

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa. Raida minda anozivikanwa ne *

*

*

  1. Inotarisira iyo data: Miguel Ángel Gatón
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako