Obunye ubungozi buhlonziwe kulabhulali ye-Log4j 2 (CVE-2021-45105), okuthi, ngokungafani nezinkinga ezimbili zangaphambilini, kufakwe kusigaba esiyingozi, kodwa esingabucayi. Udaba olusha lukuvumela ukuthi ubangele ukunqatshelwa kwesevisi futhi uzibonakalise ngendlela yezihibe nokuphahlazeka lapho ucubungula imigqa ethile. Ukuba sengozini kulungisiwe ekukhishweni kwe-Log4j 2.17 okukhishwe emahoreni ambalwa edlule. Ingozi yokuba sengozini incishiswa ukuthi inkinga ivela kumasistimu ane-Java 8 kuphela.
Ukuba sengozini kuthinta amasistimu asebenzisa imibuzo yomongo (Context Lookup), njenge-${ctx:var}, ukuze kunqunywe ifomethi yokuphuma kwelogi. Izinguqulo ze-Log4j ezisuka ku-2.0-alpha1 ukuya ku-2.16.0 zazingenalo isivikelo ngokumelene nokuphindaphinda okungalawulwa, okwakuvumela umhlaseli ukuthi alawule inani elisetshenziswe esikhundleni ukuze abangele iluphu, okuholela ekuphelelweni kwesitaki nokuphahlazeka. Ikakhulukazi, inkinga yenzekile lapho kushintsha amanani afana ne-"${${::-${::-$${::-j}}}}".
Ukwengeza, kungaqashelwa ukuthi abacwaningi abavela e-Blumira bahlongoze inketho yokuhlasela izinhlelo zokusebenza ze-Java ezisengozini ezingazamukeli izicelo zenethiwekhi zangaphandle isibonelo, amasistimu onjiniyela noma abasebenzisi bezinhlelo zokusebenza ze-Java bangahlaselwa ngale ndlela. Umongo wendlela ukuthi uma kunezinqubo ze-Java ezisengozini ohlelweni lomsebenzisi olwamukela ukuxhumeka kwenethiwekhi kuphela kumsingathi wendawo, noma ukucubungula izicelo ze-RMI (I-Remote Method Invocation, port 1099), ukuhlasela kungenziwa ngekhodi ye-JavaScript eyenziwe. lapho abasebenzisi bevula ikhasi elinonya esipheqululini sabo. Ukuze usungule uxhumano kwi-port yenethiwekhi yohlelo lokusebenza lwe-Java phakathi nokuhlaselwa okunjalo, i-WebSocket API iyasetshenziswa, lapho, ngokungafani nezicelo ze-HTTP, imingcele yemvelaphi efanayo ayisetshenziswa (i-WebSocket ingasetshenziswa futhi ukuskena izimbobo zenethiwekhi endaweni yendawo. umsingathi ukuze unqume izibambi zenethiwekhi ezitholakalayo).
Okunye okuthakaselwayo yimiphumela eshicilelwe i-Google yokuhlola ubungozi bemitapo yolwazi ehlotshaniswa nokuncika kwe-Log4j. Ngokusho kweGoogle, le nkinga ithinta i-8% yawo wonke amaphakheji endaweni yokugcina i-Maven Central. Ikakhulukazi, amaphakheji e-Java angu-35863 ahlotshaniswa ne-Log4j ngokuncika okuqondile nokungaqondile adalulwe ekubeni sengozini. Ngesikhathi esifanayo, i-Log4j isetshenziswa njengokuncika okuqondile kwezinga lokuqala kuphela ku-17% yamacala, futhi ku-83% yamaphakheji athintekile, ukubopha kwenziwa ngamaphakheji aphakathi ancike ku-Log4j, i.e. imilutha yezinga lesibili nangaphezulu (21% - izinga lesibili, 12% - yesithathu, 14% - yesine, 26% - yesihlanu, 6% - yesithupha). Ijubane lokulungisa ubungozi lisashiya okuningi okufanele kufiswe ngesonto ngemuva kokuhlonza ubungozi, kumaphakheji ahlonziwe angu-35863, inkinga isilungisiwe kuze kube manje ku-4620 kuphela, i.e. ngo-13%.
Ngaleso sikhathi, i-Cybersecurity and Infrastructure Protection Agency yase-US ikhiphe isiyalelo esiphuthumayo esidinga izinhlangano zikahulumeni ukuthi zihlonze amasistimu olwazi athintwa ukuba sengozini kwe-Log4j futhi zifake izibuyekezo ezivimba inkinga ngomhla ka-23 Disemba. NgoDisemba 28, izinhlangano kufanele zibike ngomsebenzi wazo. Ukwenza lula ukukhonjwa kwezinhlelo eziyinkinga, uhlu lwemikhiqizo eqinisekisiwe ukuthi lubonisa ubungozi selulungisiwe (uhlu luhlanganisa izicelo ezingaphezu kwezinkulungwane ezingama-23).
Source: opennet.ru
