Kho qhov tso tawm ntawm Log4j lub tsev qiv ntawv 2.17.1, 2.3.2-rc1 thiab 2.12.4-rc1 tau luam tawm, uas kho lwm qhov tsis zoo (CVE-2021-44832). Nws tau hais tias qhov teeb meem tso cai rau cov chaw taws teeb tswj kev ua tiav (RCE), tab sis raug cim tias yog benign (CVSS Score 6.6) thiab feem ntau tsuas yog kev xav tau, vim nws xav tau cov xwm txheej tshwj xeeb rau kev siv - tus neeg tawm tsam yuav tsum muaj peev xwm hloov pauv. cov ntaub ntawv teev Log4j, i.e. yuav tsum muaj kev nkag mus rau lub kaw lus tawm tsam thiab txoj cai los hloov tus nqi ntawm lub log4j2.configurationFile configuration parameter lossis hloov pauv rau cov ntaub ntawv uas twb muaj lawm nrog cov chaw nkag.
Qhov kev tawm tsam kub hnyiab mus rau kev txhais lub JDBC Appender-raws li kev teeb tsa ntawm lub hauv paus system uas hais txog ib qho JNDI URI sab nraud, raws li qhov kev thov uas Java chav kawm tuaj yeem rov qab los rau kev tua. Los ntawm lub neej ntawd, JDBC Appender tsis tau teeb tsa los tswj cov tsis yog Java raws tu qauv, piv txwv li. Yog tsis hloov lub configuration, qhov kev tawm tsam yog tsis yooj yim sua. Tsis tas li ntawd, qhov teeb meem tsuas yog cuam tshuam rau log4j-core JAR thiab tsis cuam tshuam rau cov ntawv thov uas siv log4j-api JAR yam tsis muaj log4j-core. ...
Tau qhov twg los: opennet.ru