Chiwopsezo china chadziwika mu laibulale ya Log4j 2 (CVE-2021-45105), yomwe, mosiyana ndi mavuto awiri am'mbuyomu, imayikidwa ngati yowopsa, koma osati yovuta. Nkhani yatsopanoyi imakupatsani mwayi wokana ntchito ndikudziwonetsa ngati malupu ndi kuwonongeka mukakonza mizere ina. Chiwopsezocho chidakhazikika pakutulutsidwa kwa Log4j 2.17 komwe kudatulutsidwa maola angapo apitawa. Kuopsa kwachiwopsezo kumachepetsedwa chifukwa vuto limangowonekera pamakina omwe ali ndi Java 8.
Kusatetezeka kumakhudza makina omwe amagwiritsa ntchito mafunso (Context Lookup), monga ${ctx:var}, kuti adziwe mtundu wa zolemba. Matembenuzidwe a Log4j kuchokera ku 2.0-alpha1 kupita ku 2.16.0 analibe chitetezo ku kubwereranso kosalamulirika, zomwe zinapangitsa kuti woukirayo awononge mtengo wogwiritsidwa ntchito m'malo mwake kuti apangitse kuzungulira, zomwe zimapangitsa kuti malo osungiramo awonongeke komanso kuwonongeka. Makamaka, vuto lidachitika polowa m'malo monga "${${::-${::-$${::-j}}}}".
Kuphatikiza apo, zitha kudziwika kuti ofufuza ochokera ku Blumira apereka mwayi wothana ndi mapulogalamu a Java omwe ali pachiwopsezo omwe savomereza zopempha zakunja zapaintaneti; mwachitsanzo, machitidwe a opanga kapena ogwiritsa ntchito Java atha kuwukiridwa motere. Chofunikira cha njirayi ndikuti ngati pali njira za Java zomwe zili pachiwopsezo pamakina a wogwiritsa ntchito omwe amavomereza kulumikizidwa kwa netiweki kuchokera kwa omwe akulandila, kapena kukonza zopempha za RMI (Njira Yakutali, doko 1099), kuwukirako kutha kuchitidwa ndi JavaScript code. pamene ogwiritsa ntchito atsegula tsamba loyipa mu msakatuli wawo. Kukhazikitsa kulumikizana ndi doko la netiweki ya pulogalamu ya Java panthawi yakuukira kotere, WebSocket API imagwiritsidwa ntchito, komwe, mosiyana ndi zopempha za HTTP, zoletsa zoyambira zomwezo sizimayikidwa (WebSocket itha kugwiritsidwanso ntchito kusanthula madoko a netiweki kumaloko. host kuti muwone ma network omwe alipo).
Chosangalatsanso ndi zotsatira zofalitsidwa ndi Google zowunika kusatetezeka kwa malaibulale okhudzana ndi kudalira kwa Log4j. Malinga ndi Google, vutoli limakhudza 8% yamapaketi onse omwe ali m'malo a Maven Central. Makamaka, ma phukusi a Java a 35863 okhudzana ndi Log4j kudzera pakudalira mwachindunji komanso kosalunjika adawonetsedwa pachiwopsezo. Panthawi imodzimodziyo, Log4j imagwiritsidwa ntchito ngati kudalira kwachindunji kwa mlingo woyamba kokha mu 17% ya milandu, ndipo mu 83% ya phukusi lokhudzidwa, kumangako kumachitika kudzera m'mapaketi apakatikati omwe amadalira Log4j, i.e. zizolowezi za mulingo wachiwiri ndi wapamwamba (21% - wachiwiri, 12% - wachitatu, 14% - wachinayi, 26% - wachisanu, 6% - wachisanu ndi chimodzi). Kuthamanga kwa kukonza chiwopsezocho kumasiyabe kufunidwa; patatha sabata chiwopsezocho chitadziwika, mwa 35863 mapaketi odziwika, vutoli lakonzedwa mpaka pano mu 4620 okha, i.e. pa 13%.
Pakadali pano, bungwe la US Cybersecurity and Infrastructure Protection Agency lidapereka chilangizo chadzidzidzi chofuna kuti mabungwe aboma azindikire zidziwitso zomwe zakhudzidwa ndi ngozi ya Log4j ndikuyika zosintha zomwe zimalepheretsa vutoli pofika Disembala 23. Pofika Disembala 28, mabungwe akuyenera kupereka lipoti lantchito yawo. Kuti muchepetse kudziwika kwa machitidwe ovuta, mndandanda wazinthu zomwe zatsimikiziridwa kuti zikuwonetsa zowonongeka zakonzedwa (mndandandawu umaphatikizapo ntchito zoposa 23 zikwi).
Source: opennet.ru