Bathole ubungozi ku-Spring Framework

Muva nje izindaba zikuqedile lokho kutholwe ukuba sengozini okubalulekile kohlobo losuku oluyiziro kumojula I-Spring Core ithunyelwe njengengxenye Yohlaka Lwentwasahlobo, okuvumela umhlaseli okude, ongagunyaziwe ukuthi asebenzise ikhodi yakhe kuseva.

Ngokwezilinganiso ezithile, imojula ye-Spring Core isetshenziswe ku-74% wezinhlelo zokusebenza ze-Java. Ingozi yokuba sengozini incishiswa iqiniso lokuthi izicelo kuphela lokho sebenzisa isichasiselo esithi "@RequestMapping" ukuzeNgokuhlanganisa izibambi zezicelo nokusebenzisa ipharamitha yefomu lewebhu elibophayo ngefomethi ethi “igama=inani” (POJO, Plain Old Java Object), kune-JSON/XML, zisengozini yokuhlaselwa. Okwamanje akukacaci ukuthi yiziphi izinhlelo zokusebenza nezinhlaka ze-Java ezithintwa yile ndaba.

Lokhu kuba sengozini, okuqanjwe ngokuthi "Spring4Shell", kusebenzisa umjovo wekilasi oholela ku-RCE egcwele futhi kubi kakhulu. Igama elithi "Spring4Shell" likhethwe ngenxa yokuthi i-Spring Core iwumtapo wolwazi otholakala yonke indawo, efana ne-log4j edale ukuba sengozini kwe-Log4Shell okudumile.

Sikholelwa ukuthi abasebenzisi abasebenzisa i-JDK version 9 nakamuva basengozini yokuhlaselwa kwe-RCE. Zonke izinguqulo ze-Spring Core ziyathinteka.

Kunamasu okunciphisa ukuhlasela futhi sikholelwa ukuthi akuwona wonke amaseva eSpring asengozini, kuye ngezinye izici ezixoxwe ngezansi. Sekushiwo lokho, okwamanje sincoma ukuthi bonke abasebenzisi basebenzise ukunciphisa noma ukuthuthukisa uma basebenzisa i-Spring Core.

Ukuxhashazwa kokuba sengozini kungenzeka kuphela uma usebenzisa i-Java/JDK 9 noma inguqulo entsha. Ukuba sengozini kuvimbela ukuvinjwa kwezinkambu ezithi "class", "module", kanye ne-"classLoader" noma ukusetshenziswa kohlu olumhlophe olusobala lwezinkambu ezivunyelwe.

Inkinga kungenxa yekhono lokudlula isivikelo ngokumelene nokuba sengozini kwe-CVE-2010-1622, Kulungiswe ku-Spring Framework ngo-2010 futhi kuhlotshaniswa nokusetshenziswa kwesibambi se-classLoader lapho kudluliswa amapharamitha wesicelo.

Ukusebenza kokuxhashazwa kuncishiswe ekuthumeleni isicelo cnamapharamitha "class.module.classLoader.resources.context.parent.pipeline.first.*", ukucutshungulwa kwakho, lapho kusetshenziswa i-"WebappClassLoaderBase", kuholela ocingweni oluya ekilasini le-AccessLogValve.

Ikilasi elishiwo likuvumela ukuthi ulungiselele isigawuli ukuze udale ifayela le-jsp elingalawuleki endaweni eyimpande ye-Apache Tomcat futhi ubhale ikhodi ecaciswe umhlaseli kuleli fayela. Ifayela elidaliwe liyatholakala ngezicelo eziqondile futhi lingasetshenziswa njengegobolondo lewebhu. Ukuhlasela uhlelo lokusebenza olusengozini endaweni ye-Apache Tomcat, kwanele ukuthumela isicelo ngamapharamitha athile usebenzisa insiza ye-curl.

Inkinga ecutshungulwayo ku-Spring Core akufanele kudidaniswe nobuthakathaka obusha obubonakalayo I-CVE-2022-22963 kanye ne-CVE-2022-22950. Udaba lokuqala luthinta iphakethe le-Spring Cloud futhi luvumela ukwenziwa kwekhodi okukude (ukuxhaphaza) ukuthi kuzuzwe. I-CVE-2022-22963 ilungisiwe ku-Spring Cloud 3.1.7 kanye nokukhishwa okungu-3.2.3.

Ukukhishwa kwesibili kwe-CVE-2022-22950 kukhona ku-Spring Expression, kungasetshenziswa ukuqalisa ukuhlasela kwe-DoS, futhi kulungiswe ku-Spring Framework 5.3.17. Lokhu ubuthakathaka obuhlukene ngokuyisisekelo. Abathuthukisi be-Spring Framework abakenzi noma yisiphi isitatimende mayelana nokuba sengozini okusha futhi abakakakhiphi ukulungisa.

Njengesinyathelo sokuvikela sesikhashana, kunconywa ukuthi usebenzise uhlu oluvinjelwe lwamapharamitha wemibuzo angavumelekile kukhodi yakho.

Namanje akucaci ukuthi imiphumela ingaba yinhlekelele kangakanani odabeni oluhlonziwe kanye nokuthi ukuhlasela kuzoba kukhulu yini njengoba kwenzeka endabeni yokuba sengozini ku-Log4j 2. Ukuba sengozini kuqanjwe ngekhodi ethi Spring4Shell, CVE-2022-22965, kanye nezibuyekezo ze-Spring Framework 5.3.18 kanye ne-5.2.20 zikhishiwe. ukubhekana nokuba sengozini.

Isiqeshana sesiyatholakala kusukela ngoMashi 31, 2022 ezinguqulweni zakamuva ezikhishwe zaseNtwasahlobo 5.3.18 kanye no-5.2.20. Sincoma bonke abasebenzisi ukuthi bathuthukise. Kulabo abangakwazi ukuthuthukisa, ukunciphisa okulandelayo kungenzeka:

Ngokusekelwe kokuthunyelwe kuka-Praetorian oqinisekisa ukuba khona kwe-RCE ku-Spring Core, indlela enconyiwe njengamanje ukupeyisha i-DataBinder ngokungeza uhlu oluvinjelwe lwamaphethini enkambu asengozini adingekayo ukuze kuxhashazwe.

Ekugcineni yebo unentshisekelo yokwazi okwengeziwe ngayo mayelana nenothi, ungabheka imininingwane Kulesi sixhumanisi esilandelayo.


Okuqukethwe yi-athikili kunamathela ezimisweni zethu ze izimiso zokuhlelela. Ukubika iphutha chofoza lapha.

Yiba ngowokuqala ukuphawula

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe.

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.