Ho fumanoe bofokodi bo tebileng ba letsatsi la zero moduleng oa Spring Core, e leng karolo ea Spring Framework. Bofokodi bona bo lumella mohlaseli ea hole ea sa netefatsoang ho kenya khoutu ho seva. Ha ho hlake hore na tšusumetso ea bothata bona e tla ba mpe hakae, kapa hore na litlhaselo li tla ata joalo ka tse bonoang ka bofokodi ba Log4j 2. Bofokodi bona bo rehiloe lebitso la khoutu la Spring4Shell, empa sesupo sa CVE ha se so abeloe. Bothata bo ntse bo sa lokisoa ho Spring Framework, 'me li-prototype tse' maloa tsa ts'ebeliso e mpe li se li fumaneha inthaneteng (1, 2, 3, 4). Bothata bo mpefatsoa ke taba ea hore lits'ebetso tse ngata tsa Java tsa likhoebo tse thehiloeng ho Spring Framework li sebetsa ka litokelo tsa motso, tse lumellang bofokodi ho beha sistimi kotsing ka botlalo.
Ho ya ka dikhakanyo tse ding, mojule wa Spring Core o sebediswa ho 74% ya ditshebediso tsa Java. Bohloko ba bofokodi bo fokotswa ke taba ya hore bo ama feela ditshebediso tse sebedisang tlhaloso ya "@RequestMapping" ha di hokela batshwari ba dikopo le ho tlama diparamitha tsa foromo ya webo ka sebopeho sa "name=value" (POJO, Plain Old Java Object), ho ena le ho sebedisa JSON/XML.
Ha ho so hlake hore na ke dikopo le diforeimi dife tsa Java tse angwang ke bothata bona. Bofokodi bo thibela ho kenngwa lenaneng le letsho la masimo a "class," "module," le "classLoader", kapa tshebediso ya lenane le lesweu le totobetseng la masimo a dumelletsweng. Tshebediso e mpe e ka etsahala feela ka Java/JDK 9 kapa hamorao. Bothata bo bakwa ke ho feta ha CVE-2010-1622, bofokodi bo kentsweng ho Moralo wa Selemo morao koana ka 2010 bo kenyeletsang ho kenngwa tshebetsong ha mohlokomedi wa classLoader ha ho hlahlojwa diparamitha tsa kopo.
Ts'ebeliso ena e sebetsa ka ho romela kopo ka liparamente "class.module.classLoader.resources.context.parent.pipeline.first.*." Ho sebetsana le liparamente tsena ho etsa faele ea JSP tikolohong ea motso oa Apache Tomcat mme ho ngola khoutu e boletsoeng ea mohlaseli faeleng ena. Faele e entsoeng e fumaneha bakeng sa likopo tse tobileng 'me e ka sebelisoa e le khetla ea webo. Ho hlasela sesebelisoa se kotsing tikolohong ea Apache Tomcat, romella kopo feela ka liparamente tse itseng u sebelisa sesebelisoa sa curl. curl -v -d "class.module.classLoader.resources.context.parent.pipeline .first.pattern=code_to_insert_into_file &class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp &class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT &class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar &class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=" http://localhost:8080/springmvc5-helloworld-exmaple-0.0.1-SNAPSHOT/rapid7
Bothata bona ho Spring Core ha boa lokela ho ferekanngoa le bofokodi bo sa tsoa sibolloa CVE-2022-22963 le CVE-2022-22950. Bothata ba pele bo ama sephutheloana sa Spring Cloud mme bo lokisitsoe ho tokollo ya 3.1.7 le 3.2.3. Bothata ba bobedi bo ama Spring Expression mme bo lokisitsoe ho Spring Framework 5.3.17. Tsena ke bofokodi bo fapaneng ka ho feletseng. Bahlahisi ba Spring Framework ha ba so etse dipolelo mabapi le bofokodi bona bo botjha kapa ho phatlalatsa tokiso.
Jwalo ka mohato wa nakwana wa tshireletso, ho kgothaletswa ho sebedisa lenane le letsho la diparamitha tsa kopo tse sa sebetseng khoutung: import org.springframework.core.Ordered; import org.springframework.core.annotation.Order; import org.springframework.web.bind.WebDataBinder; import org.springframework.web.bind.annotation.ControllerAdvice; import org.springframework.web.bind.annotation.InitBinder; @ControllerAdvice @Order(10000) sehlopha sa setjhaba BinderControllerAdvice { @InitBinder public void setAllowedFields(WebDataBinder dataBinder) { String[] denylist = new String[]{"class.", "Class.", ".class.", ".Class."}; dataBinder.setDisallowedFields(denylist); } }
Source: opennet.ru
