Kutshanje iindaba ziye zaqhekeka Ukuba sesichengeni okubalulekileyo kohlobo lweentsuku zero kuchongiwe kwimodyuli I-Spring Core ithunyelwe ngenqanawa njengenxalenye ye-Spring Framework, evumela umhlaseli okude, ongagunyaziswanga ukuba aphumeze ikhowudi yakhe kumncedisi.
Ngolunye uqikelelo, imodyuli yeSpring Core isetyenziswe kwi-74% yezicelo zeJava. Ingozi yokuba sesichengeni iyancitshiswa yinto yokuba izicelo kuphela ukuba sebenzisa i-"@RequestMapping" inkcazo ukuyaNgokudibanisa abaphangi bezicelo kunye nokusebenzisa ifomu yewebhu iparameter ebophelelayo kwifomati "yegama=ixabiso" (POJO, Plain Old Java Object) ifomathi, endaweni ye-JSON/XML, basesichengeni sokuhlaselwa. Akukacaci okwangoku ukuba zeziphi izicelo kunye nezicwangciso zeJava ezichatshazelwa ngumba.
Obu buthathaka, bubizwa ngokuba yi "Spring4Shell", kuthatha ithuba lokutofa iklasi ekhokelela kwi-RCE epheleleyo kwaye kubi kakhulu. Igama elithi "Spring4Shell" likhethwe ngenxa yokuba iSpring Core lithala leencwadi elifumaneka kuyo yonke indawo, liyafana nelog4j eyabangela ukuba semngciphekweni kweLog4Shell.
Sikholelwa ukuba abasebenzisi abasebenzisa i-JDK version 9 kwaye kamva basengozini yohlaselo lwe-RCE. Zonke iinguqulelo zeSpring Core ziyachaphazeleka.
Kukho izicwangciso zokunciphisa uhlaselo kwaye sikholelwa ukuba ayizizo zonke iiseva zaseNtwasahlobo ezisengozini, kuxhomekeke kwezinye izinto ezixutyushwa ngezantsi. Oko kuthethiweyo, ngoku sicebisa ukuba bonke abasebenzisi basebenzise ukuthomalalisa okanye uphuculo ukuba basebenzisa iSpring Core.
Ukusetyenziswa kobuthathaka kunokwenzeka kuphela xa usebenzisa iJava/JDK 9 okanye inguqulelo entsha. Ubuthathaka buvalela ukufakwa kuluhlu oluvaliweyo lwemihlaba "class", "module", kunye ne "classLoader" okanye ukusetyenziswa koluhlu olumhlophe olucacileyo lwemimandla evunyelweyo.
Ingxaki kungenxa yokukwazi ukudlula ukhuseleko kwi-CVE-2010-1622 sesichengeni, Ilungisiwe kwiSakhelo seNtwasahlobo ngo-2010 kwaye yayanyaniswa nokwenziwa komphathi weklasi yokuLayisha xa kucazululwa iiparamitha zesicelo.
Ukusebenza kwe-exploit kuncitshiswe ekuthumeleni isicelo cngeparameters "class.module.classLoader.resources.context.parent.pipeline.first.*", ukusetyenzwa kwayo, xa usebenzisa "WebappClassLoaderBase", kukhokelela kumnxeba kwiklasi ye-AccessLogValve.
Udidi olukhankanyiweyo likuvumela ukuba uqwalasele umgawuli ukwenza ifayile yejsp engenasizathu kwindawo engcambu ye Apache Tomcat kwaye ubhale ikhowudi echazwe ngumhlaseli kule fayile. Ifayile eyenziweyo iyafumaneka kwizicelo ezithe ngqo kwaye ingasetyenziswa njengeqokobhe lewebhu. Ukuhlasela isicelo esisengozini kwindawo ye-Apache Tomcat, kwanele ukuthumela isicelo kunye neeparamitha ezithile usebenzisa i-curl utility.
Ingxaki phantsi kwengqwalasela kwi-Spring Core ungabhidaniswa nobuthathaka obutsha obuchongiweyo I-CVE-2022-22963 kunye neCVE-2022-22950. Umba wokuqala uchaphazela iphakheji ye-Spring Cloud kwaye ivumela ukuphunyezwa kwekhowudi ekude (ukuxhaphaza) ukuba kuphunyezwe. I-CVE-2022-22963 igxininiswe kwi-Spring Cloud 3.1.7 kunye ne-3.2.3 ikhupha.
Umcimbi wesibini i-CVE-2022-22950 ikhona kwi-Spring Expression, ingasetyenziselwa ukuqalisa ukuhlaselwa kwe-DoS, kwaye ilungiswe kwi-Spring Framework 5.3.17. Obu bubuthathaka obahlukeneyo. Abaphuhlisi be-Spring Framework abakenzi nayiphi na ingxelo malunga nokuba semngciphekweni okutsha kwaye abakhuphanga lungiso.
Njengomlinganiselo wokhuseleko wexeshana, kuyacetyiswa ukuba usebenzise uluhlu oluvaliweyo lweparameters ezingasebenziyo kwikhowudi yakho.
Kukwanje ayicaci ukuba inokuba yintlekele kangakanani imiphumo yomba ochongiweyo nokuba ngaba uhlaselo luya kuba lukhulu njengakwimeko yokuba sesichengeni kwi-Log4j 2. Ubuthathaka bubizwa ngokuba yi-Spring4Shell, CVE-2022-22965, kunye nohlaziyo lwe-Spring Framework 5.3.18 kunye ne-5.2.20 zikhutshiwe. ukulungisa ukuba sesichengeni.
Isiqwenga ngoku siyafumaneka ukusukela nge-31 kaMatshi ngo-2022 kwiinguqulelo zamva nje ezikhutshwe eSpring 5.3.18 kunye ne-5.2.20. Sicebisa bonke abasebenzisi ukuba baphucule. Kwabo bangakwaziyo ukuphucula, oku kuncitshiswa kulandelayo kuyenzeka:
Ngokusekwe kwisithuba soMthetheli esiqinisekisa ubukho be-RCE kwi-Spring Core, indlela ekhuthazwayo ngoku kukupeyisha i-DataBinder ngokongeza uluhlu olumnyama lweepatheni zentsimi ezisesichengeni ezifunekayo ukuze kuxhatshazwe.
Ekugqibeleni ewe unomdla wokwazi ngakumbi ngayo malunga nenqaku, unokujonga iinkcukacha Kule khonkco ilandelayo.