Kua kitea he ngoikoretanga nui o te kore-rā i roto i te kōwae Spring Core, he wāhanga o te Spring Framework. Mā tēnei ngoikoretanga ka taea e te kaiwhakaeke mamao kāore i whakamanahia te whakahaere waehere i runga i te tūmau. Kāore i te mārama te pānga kino o tēnei take, mēnā rānei ka horapa ngā whakaeke pērā i ngā mea i kitea me te ngoikoretanga Log4j 2. Kua tapaina te ngoikoretanga ko Spring4Shell, engari kāore anō kia tohaina he tohu CVE. Kāore anō kia whakatikatikaina te take i roto i te Spring Framework, ā, he maha ngā tauira whakamahi e wātea ana i runga ipurangi (1, 2, 3, 4). Ka nui ake te raruraru nā te mea he maha ngā tono Java hinonga e ahu mai ana i te Spring Framework e whakahaere ana me ngā mana pakiaka, ka taea ai e te ngoikoretanga te whakararu katoa i te pūnaha.
E ai ki ētahi whakatau tata, e 74% o ngā tono Java e whakamahia ana te kōwae Spring Core. Ka whakaitihia te kaha o te ngoikoretanga nā te mea ka pā noa ki ngā tono e whakamahi ana i te tuhipoka "@RequestMapping" i te wā e tāpirihia ana ngā kaiwhakahaere tono me te here i ngā tawhā puka tukutuku i roto i te hōputu "name=value" (POJO, Plain Old Java Object), kaua ki te whakamahi i te JSON/XML.
Kāore anō kia mārama ko ēhea ngā tono me ngā anga Java e pāngia ana e tēnei take. Ka ārai te ngoikoretanga i te rārangi pango o ngā āpure "class," "module," me "classLoader", te whakamahi rānei i tētahi rārangi mā o ngā āpure e whakaaetia ana. Ka taea anake te whakamahi kino me Java/JDK 9, neke atu rānei. Nā te mea pea i karohia te CVE-2010-1622 te take o te raruraru, he ngoikoretanga i whakatikatikaina i roto i te Spring Framework i te tau 2010 e uru ana ki te whakahaere i te kaiwhakahaere classLoader i te wā e wetewete ana i ngā tawhā tono.
Ka mahi te mahi tinihanga mā te tuku tono me ngā tawhā "class.module.classLoader.resources.context.parent.pipeline.first.*." Mā te tukatuka i ēnei tawhā ka hangaia he kōnae JSP i roto i te taiao pakiaka Apache Tomcat, ā, ka tuhia te waehere kua tohua e te kaiwhakaeke ki tēnei kōnae. Ka taea te uru atu ki te kōnae kua hangaia mō ngā tono tika, ā, ka taea te whakamahi hei anga tukutuku. Hei whakaeke i tētahi tono ngoikore i roto i te taiao Apache Tomcat, tukuna noa he tono me ngā tawhā motuhake mā te whakamahi i te taputapu curl. curl -v -d "class.module.classLoader.resources.context.parent.pipeline .first.pattern=code_to_insert_into_file &class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp &class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT &class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar &class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=" http://localhost:8080/springmvc5-helloworld-exmaple-0.0.1-SNAPSHOT/rapid7
Kaua tēnei take i roto i te Spring Core e pohehe ki ngā ngoikoretanga i kitea tata nei, arā, ko CVE-2022-22963 me CVE-2022-22950. Ka pā te take tuatahi ki te mōkihi Spring Cloud, ā, i whakatikahia i ngā putanga 3.1.7 me 3.2.3. Ka pā te take tuarua ki te Spring Expression, ā, i whakatikahia i roto i te Spring Framework 5.3.17. He rerekē rawa ēnei ngoikoretanga. Kāore anō kia whakaputa kōrero ngā kaiwhakawhanake o te Spring Framework mō tēnei ngoikoretanga hou, kāore anō hoki kia whakaputa i tētahi whakatikanga.
Hei tikanga haumarutanga rangitahi, e taunakihia ana kia whakamahia he rārangi pango o ngā tawhā tono kore mana i roto i te waehere: import org.springframework.core.Ordered; import org.springframework.core.annotation.Order; import org.springframework.web.bind.WebDataBinder; import org.springframework.web.bind.annotation.ControllerAdvice; import org.springframework.web.bind.annotation.InitBinder; @ControllerAdvice @Order(10000) public class BinderControllerAdvice { @InitBinder public void setAllowedFields(WebDataBinder dataBinder) { String[] denylist = new String[]{"class.", "Class.", ".class.", ".Class."}; dataBinder.setDisallowedFields(denylist); } }
Source: opennet.ru
