An gano wani rauni a cikin ɗakin karatu na Log4j 2 (CVE-2021-45105), wanda, ba kamar matsalolin biyu da suka gabata ba, an rarraba su da haɗari, amma ba mahimmanci ba. Sabuwar batun yana ba ku damar haifar da ƙin sabis kuma yana bayyana kanta a cikin nau'in madaukai da faɗuwa lokacin sarrafa wasu layi. An daidaita rashin lafiyar a cikin sakin Log4j 2.17 da aka saki 'yan sa'o'i da suka gabata. An rage haɗarin haɗarin ta hanyar gaskiyar cewa matsalar kawai tana bayyana akan tsarin tare da Java 8.
Rashin lahani yana rinjayar tsarin da ke amfani da tambayoyin mahallin (Maganin Yanayi), kamar ${ctx:var}, don tantance tsarin fitarwar log. Sigar Log4j daga 2.0-alpha1 zuwa 2.16.0 ba su da kariya daga sake dawowar da ba a sarrafa su ba, wanda ya bai wa maharin damar sarrafa ƙimar da aka yi amfani da shi wajen maye gurbin don haifar da madauki, wanda ke haifar da gajiyar tarin sararin samaniya da karo. Musamman, matsalar ta faru ne lokacin da aka canza dabi'u kamar "${${::-${::-$${::-j}}}}".
Bugu da ƙari, ana iya lura cewa masu bincike daga Blumira sun ba da shawarar zaɓi don kai hari kan aikace-aikacen Java masu rauni waɗanda ba sa karɓar buƙatun hanyar sadarwa na waje; alal misali, tsarin masu haɓakawa ko masu amfani da aikace-aikacen Java ana iya kaiwa hari ta wannan hanyar. Ma'anar hanyar ita ce idan akwai matakai masu rauni na Java akan tsarin mai amfani waɗanda ke karɓar haɗin yanar gizo kawai daga mai gida, ko aiwatar da buƙatun RMI (Kira ta Nesa, tashar jiragen ruwa 1099), ana iya aiwatar da harin ta hanyar lambar JavaScript da aka aiwatar. lokacin da masu amfani suka buɗe shafi mai ɓarna a cikin burauzar su. Don kafa haɗin kai zuwa tashar tashar yanar gizo na aikace-aikacen Java yayin irin wannan harin, ana amfani da WebSocket API, wanda, sabanin buƙatun HTTP, ba a aiwatar da ƙuntatawa na asali iri ɗaya (WebSocket kuma ana iya amfani da shi don bincika tashoshin cibiyar sadarwa a cikin gida). Mai watsa shiri don tantance masu sarrafa cibiyar sadarwa).
Hakanan abin sha'awa shine sakamakon da Google ya buga na tantance raunin dakunan karatu masu alaƙa da dogaro da Log4j. A cewar Google, matsalar tana shafar kashi 8% na duk fakitin da ke cikin ma'ajiyar Maven Central. Musamman, fakitin Java 35863 da ke da alaƙa da Log4j ta hanyar dogaro kai tsaye da kaikaice an fallasa su ga rashin ƙarfi. A lokaci guda, Log4j ana amfani dashi azaman dogaro na matakin farko kai tsaye kawai a cikin 17% na lokuta, kuma a cikin 83% na fakitin da abin ya shafa, ana aiwatar da ɗaurin ta hanyar fakitin matsakaici waɗanda suka dogara da Log4j, watau. jarabar matakin na biyu da mafi girma (21% - matakin na biyu, 12% - na uku, 14% - huɗu, 26% - na biyar, 6% - na shida). Takin da aka yi na gyara raunin har yanzu yana barin abubuwa da yawa da ake so; mako guda bayan gano raunin, daga cikin fakiti 35863 da aka gano, an daidaita matsalar a cikin 4620 kacal, watau. da 13%.
A halin da ake ciki, Hukumar Tsaro ta Intanet da Kariya ta Amurka ta ba da umarnin gaggawa da ke buƙatar hukumomin tarayya da su gano tsarin bayanai da raunin Log4j ya shafa tare da shigar da sabuntawa waɗanda ke toshe matsalar nan da ranar 23 ga Disamba. Zuwa ranar 28 ga Disamba, ana buƙatar ƙungiyoyi su ba da rahoton ayyukansu. Don sauƙaƙe ganewar tsarin matsala, an shirya jerin samfuran da aka tabbatar don nuna rashin ƙarfi (jerin ya haɗa da aikace-aikacen fiye da 23 dubu).
source: budenet.ru