Sun gano wani rauni Log4j 2 kuma an yi masa alama mai haɗari

Darkcrizt

4 minti

log4j

Bayan 'yan makonnin da suka gabata labarin matsalolin tsaro na Log4j suna juya masu amfani da yawa akan hanyar sadarwar su koma baya kuma shine daya daga cikin kurakuran da aka fi amfani da su kuma masana da yawa sun lakafta a matsayin "mafi haɗari a cikin dogon lokaci », Daga cikin raunin da aka bayyana a cikin hanyar sadarwa muna magana game da wasu daga cikinsu nan a kan shafin yanar gizo kuma a wannan karon mun sami labarin wani.

Kuma shi ne kwanakin baya An fitar da labarin cewa an gano wani rauni a cikin ɗakin karatu na Log4j 2 (wanda aka riga aka jera a ƙarƙashin CVE-2021-45105) kuma wanda, ba kamar batutuwa biyu da suka gabata ba, an rarraba su da haɗari, amma ba mahimmanci ba.

Sabuwar matsalar yana ba da izinin ƙin sabis kuma yana bayyana kanta a cikin nau'i na madaukai da ƙarewa mara kyau lokacin sarrafa wasu layukan.

Ularfafawa yana rinjayar tsarin da ke amfani da binciken mahallin, kamar $ {ctx: var}, don ƙayyade tsarin fitarwa na log.

da Sigar Log4j 2.0-alpha1 zuwa 2.16.0 ba su da kariya daga sake dawowa mara ƙarfi, menene an baiwa maharin damar sarrafa ƙimar da aka yi amfani da shi wajen musanya don haifar da madauki marar iyaka wanda zai ƙare sararin samaniya a kan tarin kuma ya sa tsarin ya rataye. Musamman, matsalar ta faru ne lokacin da aka canza dabi'u kamar "$ {$ {:: - $ {:: - $$ {:: - j}}}}".

Har ila yau, Ana iya lura cewa masu binciken Blumira sun ba da shawarar kai hari kan aikace-aikacen Java masu rauni waɗanda ba sa karɓar buƙatun daga cibiyoyin sadarwa na waje, misali, tsarin masu haɓakawa ko masu amfani da aikace-aikacen Java ana iya kaiwa hari ta wannan hanyar.

Ma'anar hanyar ita ce idan akwai matakan Java masu rauni akan tsarin mai amfani wanda ke karɓar haɗin yanar gizo kawai daga mai masaukin gida (localhost), ko aiwatar da buƙatun RMI (Kira ta Hanyar Nesa, tashar jiragen ruwa 1099), Ana iya aiwatar da harin ta hanyar kashe lambar JavaScript lokacin da mai amfani ya buɗe shafi mai ɓarna a cikin burauzar. Don kafa haɗin kai zuwa tashar tashar yanar gizo na aikace-aikacen Java a cikin irin wannan harin, ana amfani da WebSocket API, wanda, ba kamar buƙatun HTTP ba, ba a aiwatar da ƙuntatawa na asali iri ɗaya (WebSocket kuma ana iya amfani da shi don bincika tashoshin cibiyar sadarwa a cikin gida). mai watsa shiri don tantance direbobin cibiyar sadarwa da ke akwai).

Sakamakon kimanta raunin dakunan karatu masu alaƙa da dogaro tare da Log4j wanda Google ya buga shima yana da ban sha'awa. A cewar Google, matsalar tana shafar kashi 8% na duk fakitin da ke cikin ma'ajiyar Maven Central.

Musamman, 35863 Log4j masu alaƙa da fakitin Java tare da dogaro kai tsaye da kaikaice an fallasa su ga lahani. Hakanan, Log4j ana amfani da shi azaman dogaro kai tsaye na matakin farko kawai a cikin 17% na lokuta, kuma a cikin 83% na fakitin da raunin ya rufe, ana yin ɗaurin ta hanyar fakitin tsaka-tsaki waɗanda suka dogara da Log4j, wato faɗa. dogara na biyu da mafi girma matakin (21% - na biyu matakin, 12% - na uku, 14% - na hudu, 26% - na biyar, 6% - na shida).

Adadin gyaran raunin har yanzu ya bar abin da ake so, mako guda bayan gano raunin, daga cikin fakiti 35863 da aka gano, an daidaita matsalar a cikin 4620 kawai, wato, zuwa kashi 13%.

Canje-canje ga fakiti suna da mahimmanci don sabunta buƙatun dogaro da maye gurbin tsoffin nau'ikan ɗaure tare da ƙayyadaddun nau'ikan Log4j 2 (fakitin Java suna yin ɗaure zuwa takamaiman sigar, kuma ba buɗaɗɗen kewayon da ke ba da izinin shigar da sabon sigar ba).

Kawar da rauni a cikin aikace-aikacen Java yana fuskantar cikas ta yadda shirye-shirye sukan haɗa da kwafin ɗakunan karatu a cikin bayarwa, kuma bai isa ya sabunta sigar Log4j 2 a cikin fakitin tsarin ba.

A halin da ake ciki, Hukumar Kare ababen more rayuwa da tsaro ta Intanet ta Amurka ta ba da umarnin gaggawa da ke buƙatar hukumomin tarayya su gano tsarin bayanai da raunin Log4j ya shafa tare da shigar da sabuntawar da ke toshe matsalar kafin ranar 23 ga Disamba.

A gefe guda kuma, an ba da ka'ida har zuwa ranar 28 ga Disamba, inda ƙungiyoyin ke da alhakin bayar da rahoto game da ayyukan da aka gudanar. Don sauƙaƙe ganewar tsarin matsala, an shirya jerin samfuran da aka tabbatar da bayyanar rashin lafiya (akwai fiye da aikace-aikacen 23 dubu a cikin jerin).

A ƙarshe, Yana da kyau a ambata cewa an daidaita raunin a cikin Log4j 2.17 wanda aka buga 'yan kwanaki da suka gabata. kuma masu amfani waɗanda ke da nakasassu sabuntawa ana ba da shawarar su aiwatar da sabuntawa daidai, ban da gaskiyar cewa an rage haɗarin haɗarin ta hanyar gaskiyar cewa matsalar tana bayyana kanta akan tsarin tare da Java 8.

Source: https://logging.apache.org/


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Alhakin bayanai: AB Internet Networks 2008 SL
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.