Ukukhishwa okulungile kwelabhulali ye-Log4j 2.17.1, 2.3.2-rc1 kanye ne-2.12.4-rc1 kushicilelwe, okulungisa okunye ukuba sengozini (CVE-2021-44832). Kuthiwa inkinga ivumela ukukhishwa kwekhodi ekude (RCE), kodwa imakwe njengelungile (i-CVSS Score 6.6) futhi ikakhulukazi inentshisekelo yethiyori kuphela, njengoba idinga izimo ezithile zokuxhashazwa - umhlaseli kufanele akwazi ukwenza izinguquko ifayela lezilungiselelo Log4j, i.e. kufanele ibe nokufinyelela ohlelweni oluhlaselwe kanye negunya lokushintsha inani lepharamitha yokumisa ye-log4j2.configurationFile noma wenze izinguquko kumafayela akhona ngezilungiselelo zokungena.
Ukuhlasela kuncike ekuchazeni ukucushwa okususelwe ku-JDBC Appender kusistimu yendawo esho i-JNDI URI yangaphandle, lapho kucelwa khona isigaba se-Java esingabuyiswa ukuze sisetshenziswe. Ngokuzenzakalelayo, i-JDBC Appender ayilungiselelwe ukuthi iphathe amaphrothokholi okungewona awe-Java, i.e. Ngaphandle kokushintsha ukucushwa, ukuhlasela akunakwenzeka. Ukwengeza, inkinga ithinta kuphela i-log4j-core JAR futhi ayithinti izinhlelo zokusebenza ezisebenzisa i-log4j-api JAR ngaphandle kwe-log4j-core. ...
Source: opennet.ru