Imwe njodzi yakaonekwa muLog4j 2 raibhurari (CVE-2021-45105), iyo, kusiyana nematambudziko maviri apfuura, inorondedzerwa seine njodzi, asi isiri kutsoropodza. Iyo itsva nyaya inobvumidza iwe kukonzeresa kuramba sevhisi uye inozviratidza muchimiro chezvishwe uye kubondera paunenge uchigadzira mamwe mitsara. Kusagadzikana kwakagadziriswa muLog4j 2.17 kuburitswa kwakaburitswa maawa mashoma apfuura. Ngozi yekusagadzikana inodzikiswa nenyaya yekuti dambudziko rinongoonekwa pamasystem ane Java 8.
Kusagadzikana uku kunokanganisa masisitimu anoshandisa mibvunzo yezviri mukati (Context Lookup), yakadai se${ctx:var}, kuona marogi anobuda. Log4j shanduro kubva ku2.0-alpha1 kusvika 2.16.0 yakashaya dziviriro kubva pakudzokororwa kusingadzoreki, izvo zvaibvumira munhu anorwisa kushandura kukosha kwakashandiswa mukutsiva kukonzera loop, zvichikonzera kuneta kwestack nzvimbo uye kuparara. Kunyanya, dambudziko rakaitika pakutsiva tsika dzakadai se "${${::-${::-$${::-j}}}}".
Pamusoro pezvo, zvinogona kucherechedzwa kuti vaongorori vanobva kuBlumira vakaronga sarudzo yekurwisa maapplication eJava asingagamuchire ekunze zvikumbiro zvetiweki; semuenzaniso, masisitimu evagadziri kana vashandisi veJava application vanogona kurwiswa nenzira iyi. Chako cheiyo nzira ndechekuti kana paine njodzi yeJava maitiro pane yemushandisi sisitimu inobvuma network yekubatanidza chete kubva kune yemuno mubati, kana kugadzirisa zvikumbiro zveRMI (Remote Method Invocation, port 1099), kurwiswa kunogona kuitwa neJavaScript kodhi yakaitwa. apo vashandisi vanovhura peji ine hutsinye mubrowser yavo. Kumisikidza chinongedzo kune network port yeJava application panguva yekurwiswa kwakadaro, iyo WebSocket API inoshandiswa, iyo, kusiyana nezvikumbiro zveHTTP, zvakafanana-mabviro zvirambidzo hazvishandiswe (WebSocket inogona zvakare kushandiswa kuongorora network network pane yemuno. host kuitira kuti uone varipo vanobata network).
Zvakare zvechido mhedzisiro yakaburitswa neGoogle yekuongorora kusagadzikana kwemaraibhurari ane chekuita neLog4j kutsamira. Maererano neGoogle, dambudziko rinokanganisa 8% yemapakeji ese ari muMaven Central repository. Kunyanya, 35863 Java mapakeji akabatana neLog4j kuburikidza neakananga uye zvisina kunanga kutsamira akaoneswa mukusagadzikana. Panguva imwecheteyo, Log4j inoshandiswa seyakananga yekutanga-level kutsamira chete mu17% yezviitiko, uye mu83% yemapakeji akabatwa, kusungirirwa kunoitwa kuburikidza nepakati mapakeji zvinoenderana neLog4j, i.e. zvinodhaka zvechipiri uye chepamusoro (21% - yechipiri nhanho, 12% - yechitatu, 14% - yechina, 26% - yechishanu, 6% - yechitanhatu). Iko kumhanya kwekugadzirisa kusazvibata kuchiri kusiya zvakanyanya kudiwa; vhiki mushure mekuonekwa kwekusagadzikana, kunze kwe35863 mapakeji akaonekwa, dambudziko rakagadziriswa kusvika zvino mu4620 chete, i.e. pa13%.
Zvichakadaro, iyo US Cybersecurity uye Infrastructure Dziviriro Agency yakapa chimbichimbi chinoda masangano emubatanidzwa kuti aone masisitimu eruzivo akakanganiswa nekusagadzikana kweLog4j uye kuisa zvigadziriso zvinovhara dambudziko panosvika Zvita 23. Panosvika 28 Zvita, masangano anosungirwa kuti ataure nezvebasa ravo. Kurerutsa kuzivikanwa kwemasisitimu ane dambudziko, runyoro rwezvigadzirwa zvakasimbiswa kuratidza hutete hwakagadzirwa (rondedzero inosanganisira zvinopfuura zviuru makumi maviri nezvitatu zvekushandisa).
Source: opennet.ru