Mutungamiriri weCISA, Jen Easterly anoti Log4j's chengetedzo kukanganisa ndiyo yakaipisisa yaakaona mumuridzi wake and the vashandi vezvokuchengetedza vachasangana nemigumisiro kubva mukukanganisa kwenguva refu.
Kana yakasiiwa isina kunyorwa chikuru chekuchengetedza chikanganiso chakawanikwa mwedzi wapfuura muJava Apache Log4j raibhurari yekutema miti inoisa njodzi kuzvikamu zvakakura zveInternet, matsotsi anogona kushandisa kusadzivirirwa kwesoftware inoshandiswa zvakanyanya kubira maseva ekombuta, vachiisa zvese kubva kumagetsi evatengi kuenda kuhurumende nemasisitimu emakambani panjodzi yecyberattack.
Musi waDecember 9, yakawanikwa kusagadzikana muApache log4j log library. Raibhurari iyi inoshandiswa zvakanyanya muJava / J2EE mapurojekiti ekuvandudza mapurojekiti, pamwe nevanopa vakajairwa Java / J2EE-based software mhinduro.
Log4j inosanganisira nzira yekutsvaga inogona kushandiswa kubvunza kuburikidza ne syntax yakakosha mumutsara wefomati. Nekumisikidza, zvese zvikumbiro zvinogadzirwa ne prefix java: comp / env / *; asi zvakadaro, vanyori vakashandisa sarudzo yekushandisa prefix yetsika kushandisa chiratidzo chekoloni muchikamu. Apa ndipo panova nenjodzi: kana jndi: ldap: // inoshandiswa sekiyi, chikumbiro chinoenda kune yakatsanangurwa LDAP server. Mamwe maprotocol ekutaurirana akadai seLDAPS, DNS, uye RMI anogona zvakare kushandiswa.
Naizvozvo, sevha iri kure inodzorwa neanorwisa inogona kudzosera chinhu kune server isina njodzi, izvo zvinogona kutungamira mukupokana kwekodhi kuurayiwa pane system kana chakavanzika data leakage. Zvese zvinofanirwa kuitwa nemunhu anorwisa kutumira tambo yakakosha kuburikidza nemuchina unonyora tambo iyi kune regi faira uye saka inotungamirwa neLog4j raibhurari.
Izvi zvinogona kuitwa nezvikumbiro zviri nyore zveHTTP, semuenzaniso, izvo zvinotumirwa kuburikidza newebhu mafomu, data data, nezvimwewo, kana nechero imwe mhando yekudyidzana uchishandisa server-side registry.
- Shanduro 2.15.0 haina kugadzirisa imwe nyaya, CVE-2021-45046, iyo yakabvumira muvengi ari kure kudzora Thread Context Map (MDC) kugadzirira kupinda kwakashata achishandisa JNDI yekutsvaga maitiro. Mhedzisiro yacho inogona kunge iri kure kodhi kuuraya, nerombo rakanaka kwete munzvimbo dzese.
- Shanduro 2.16.0 yakagadzirisa dambudziko iri. Asi hazvina kugadzirisa CVE-2021-45105, inotsanangurwa neApache Software Foundation sezvinotevera:
"Apache Log2.0j1 vhezheni 2.16.0-alpha4 kusvika 2 haina kudzivirira kubva kusingadzoreki kudzokororwa kwekuzvitsvakira kuzvitsvaga. Kana registry configuration ikashandisa marongerwo etemplate akasiyana pane ekutanga ane chitarisiko chechinyorwa (somuenzaniso, $$ {ctx: loginId}), vadenhi vanodzora Thread Context Mepu (MDC) vanoisa data vanogona kugadzira data rekupinda.Kunyora kwakashata kuine tsvakiridzo inodzokororwa . , iyo inogadzira StackOverflowError inopedza maitiro. Izvi zvinozivikanwawo sekuramba basa (DOS) kurwisa.
Mutengesi-akazvimiririra bug bounty chirongwa, Zero Day Initiative, yakatsanangura kukanganisa seizvi:
"Kana mutsara wakasarudzika watsiviwa nekirasi yeStrSubstitutor, inodzokorodza inodana kirasi yekutsiva (). Nekudaro, kana iyo nested variable inoreva kuchinjika kunotsiviwa, recursion inodanwa netambo imwechete. Izvi zvinotungamira mukudzokororwa kusingagumi uye mamiriro eDoS pane sevha ”.
Imwe yakakosha kure kure kodhi kuuraya bug ikozvino yakateverwa se CVE-2021-44832 yakawanikwa mune imwechete Apache Log4j log library. Uku ndiko kusagadzikana kwechina muLog4j raibhurari.
Yakatemerwa "yakadzikama" mukuomarara ine zvibodzwa zve 6,6 pachiyero cheCVSS, kusazvibata kunobva mukushaikwa kwemamwe masimba pamusoro peJDNI kuwana mulog4j.
Chikwata chekuchengetedza cheApache chakaburitsa imwe vhezheni yeApache Log4J (vhezheni 2.17.1) inogadzirisa ichangobva kuwanikwa kodhi kodhi yekuuraya bug CVE-2021-44832. Iyi ndiyo imwe mamiriro akaipa kune vazhinji vevashandisi asi zvakare inokurudzirwa zvakanyanya kugadzirisa system yako kugadzirisa iyi yakaoma nyaya.
Hapana sangano remubatanidzwa reUS rakakanganiswa nekuda kwekusagadzikana, Jen Easterly akaudza vatori venhau mukufona. Pamusoro pezvo, hapana kurwiswa kukuru kwecyber kunoenderana nebug kwakataurwa muUnited States, kunyangwe kurwiswa kwakawanda kusingataurwi, akadaro.
Easterly yakati kukura kwekusagadzikana, kukanganisa makumi emamiriyoni emidziyo yakabatana neInternet, anoita kuti zvive zvakaipisisa zvaasati amboona mubasa rake. Vanorwisa vanogona kutora nguva yavo, akadaro, vachimirira makambani nevamwe kuti vadzikise dziviriro yavo vasati varwisa.
"Tinovimba kuti Log4Shell ichashandiswa mukupindira mune ramangwana," akadaro Easterly. Akataura kuti kutyora kweEquifax data muna 2017, uko kwakakanganisa ruzivo rwevanhu vangangosvika mamirioni zana nemakumi mashanu vekuAmerica, kwakakonzerwa nekusagadzikana mune yakavhurika sosi software.
Parizvino, kuyedza kwakawanda kushandisa iyo bug kwakanangana neiyo yakaderera-pamwero cryptocurrency migodhi kana kuedza kukwezva midziyo mumabhoti, akadaro.
mabviro: https://www.cnet.com
Imhaka yekuwedzera-engineering. Chimwe nechimwe chikamu chinofanira kuita chinhu chimwe chete uye chichiita nemazvo. Asi vanogadzira vane tsika yakashata yekuisa zvidimbu uye mamwe mitsara uye zvisingakodzeri kushanda, izvo zvisingaite kuti zvinyanye kuomarara uye kutarisana nemhando iyi yekutadza .. Ndakati ..