Kugadzirisa kuburitswa kweLog4j raibhurari 2.17.1, 2.3.2-rc1 uye 2.12.4-rc1 zvakaburitswa, izvo zvinogadzirisa imwe njodzi (CVE-2021-44832). Zvinonzi dambudziko rinobvumira kuremote code execution (RCE), asi yakanyorwa seyakanaka (CVSS Score 6.6) uye inonyanya kufarira kungofarira, sezvo ichida mamiriro chaiwo ekushandiswa - anorwisa anofanira kunge achikwanisa kuchinja iyo faira yekuisa Log4j, i.e. inofanira kuva nekuwana kune yakarwiswa system uye chiremera chekushandura kukosha kwelog4j2.configurationFile configuration parameter kana kuita shanduko kune mafaira aripo ane zvigadziro zvekutema.
Kurwiswa kwacho kunosvika pakutsanangura iyo JDBC Appender-yakavakirwa gadziriso pane yemuno sisitimu inoreva yekunze JNDI URI, pakukumbira iyo kirasi yeJava inogona kudzoserwa kuti iurawe. Nekutadza, JDBC Appender haina kugadzirwa kuti ibate zvisiri zveJava protocol, i.e. Pasina kuchinja magadzirirwo, kurwisa hakugoneki. Pamusoro pezvo, iyo nyaya inongobata iyo log4j-core JAR uye haikanganisi maapplication anoshandisa iyo log4j-api JAR isina log4j-core. ...
Source: opennet.ru