Litokollo tse lokisoang tsa laeborari ea Log4j 2.17.1, 2.3.2-rc1 le 2.12.4-rc1 li hatisitsoe, tse lokisang tlokotsi e 'ngoe (CVE-2021-44832). Ho boleloa hore bothata bo lumella ho bolaoa ha khoutu e hole (RCE), empa e tšoailoe e le benign (CVSS Score 6.6) mme e na le thahasello ea theory feela, kaha e hloka maemo a itseng a tlatlapa - mohlaseli o tlameha ho khona ho etsa liphetoho ho faele ea litlhophiso Log4j, i.e. e tlameha ho ba le mokhoa oa ho kena tsamaisong e hlasetsoeng le matla a ho fetola boleng ba parameter ea tokiso ea log4j2.configurationFile kapa ho etsa liphetoho ho lifaele tse teng tse nang le litlhophiso tsa ho rema lifate.
Tlhaselo e itšetlehile ka ho hlalosa tlhophiso e thehiloeng ho JDBC Appender tsamaisong ea lehae e buang ka JNDI URI ea kantle, ka kopo eo sehlopha sa Java se ka khutlisoang ho etsoa. Ka ho sa feleng, JDBC Appender ha e lokisetsoe ho sebetsana le liprothokholo tseo e seng tsa Java, ke hore. Ntle le ho fetola tlhophiso, tlhaselo ha e khonehe. Ho feta moo, taba ena e ama feela log4j-core JAR mme ha e ame lits'ebetso tse sebelisang log4j-api JAR ntle le log4j-core. ...
Source: opennet.ru