Vakaona imwe njodzi Log4j 2 uye yakanzi ine ngozi

log4j

Masvondo mashoma apfuura nhau dzematambudziko ekuchengetedza Log4j dzaishandura vashandisi vazhinji panetiweki kumusoro uye ndezvekuti ndiyo imwe yezvikanganiso zvakashandiswa zvakanyanya uye izvo nyanzvi dzakawanda dzakati "ndiyo ine ngozi kwazvo nguva refu », Zvekusagadzikana izvo zvakaziviswa mumambure tinotaura nezve vamwe vavo pano pane blog uye rwendo rwuno tawana nhau dzemumwe.

Uye ndizvozvo mazuva mashoma apfuura nhau dzakaburitswa kuti imwe njodzi yakaonekwa muLog4j 2 raibhurari (iyo yakatonyorwa pasi peCVE-2021-45105) uye iyo, kusiyana nenyaya mbiri dzakapfuura, yakarongedzerwa seine njodzi, asi isiri kutsoropodza.

Dambudziko idzva inobvumira kurambwa kwebasa uye inozviratidza nenzira yezvishwe uye kupera kusina kujairika paunenge uchigadzira mamwe mitsara.

Kunetseka inokanganisa masisitimu anoshandisa tsvakiridzo yemamiriro ezvinhu, senge $ {ctx: var}, kuona iyo log inobuda fomati.

ari Log4j shanduro 2.0-alpha1 kusvika 2.16.0 yakashaya dziviriro kubva kusingadzoreki kudzokorora., chii akabvumira murwi kuti ashandise kukosha kwakashandiswa mukutsiva kukonzeresa chiuno chisingaperi chinoshaya nzvimbo pachitunha chokonzera kuti hurongwa hurembeke. Kunyanya, dambudziko rakaitika pakutsiva tsika dzakadai se "$ {$ {:: - $ {:: - $$ {:: - j}}}}".

Uyewo, Zvinogona kucherechedzwa kuti Blumira vaongorori vakakurudzira kurwiswa kwevanotambura Java application izvo zvisingagamuchire zvikumbiro kubva kune ekunze network, semuenzaniso, masisitimu evagadziri kana vashandisi veJava application vanogona kurwiswa nenzira iyi.

Chinokosha cheiyo nzira ndechekuti kana paine panjodzi Java maitiro pane yevashandisi sisitimu inobvuma kubatana netiweki chete kubva kune yemuno host (localhost), kana kugadzirisa RMI-zvikumbiro (Remote Method Invocation, port 1099), kurwiswa kunogona kuitwa nekuitwa JavaScript kodhi apo mushandisi anovhura peji ine hutsinye mubrowser. Kumisikidza chinongedzo kune network chiteshi cheJava application mukurwiswa kwakadaro, iyo WebSocket API inoshandiswa, iyo, kusiyana nezvikumbiro zveHTTP, hapana zvirambidzo zvakafanana zvinoiswa (WebSocket inogonawo kushandiswa kuongorora network network pane yemuno. host kuti uone madhiraivha anowanikwa).

Mhedzisiro yekuongorora kusasimba kwemaraibhurari ane hukama nekutsamira neLog4j yakaburitswa neGoogle zvinofadzawo. Maererano neGoogle, dambudziko rinobata 8% yemapakeji ese ari muMaven Central repository.

Kunyanya, 35863 Log4j yakabatana Java mapakeji ane zvakananga uye zvisina kunanga zvinotsamira zvakafumurwa mukusagadzikana. Nekudaro, Log4j inoshandiswa seyakanangana nedanho rekutanga chete mu17% yemakesi, uye mu83% yemapakeji akafukidzwa nekusagadzikana, kusungirirwa kunoitwa kuburikidza nepakati mapakeji zvinoenderana neLog4j, izvo zvinotaurirwa. kutsamira kweyechipiri uye yepamusoro-soro (21% - yechipiri nhanho, 12% - yechitatu, 14% - yechina, 26% - yechishanu, 6% - yechitanhatu).

Iyo nhanho yekugadzirisa njodzi ichiri kusiya zvakanyanya kudiwa, vhiki mushure mekuonekwa kwekusagadzikana, kunze kwe35863 mapakeji akaonekwa, dambudziko rakagadziriswa kusvika zvino chete muna 4620, ndiko kuti, pa13%.

Kuchinja kwepakeji kunodiwa kuti uvandudze zvinodikanwa zvekutsamira uye kutsiva yekare vhezheni zvisungo neyakagadzika vhezheni yeLog4j 2 (Java mapakeji anodzidzira kusunga kune chaiyo vhezheni, uye kwete yakavhurika vhezheni inobvumira kuisirwa vhezheni yazvino).

Kubviswa kwekusagadzikana mumashandisirwo eJava kunokanganiswa nenyaya yekuti zvirongwa zvinowanzo sanganisira kopi yemaraibhurari mukuunza, uye hazvina kukwana kugadzirisa iyo Log4j 2 vhezheni mumapakeji ehurongwa.

Zvichakadaro, US Agency for Infrastructure Protection and Cybersecurity yakapa chimbichimbi chinoda masangano emubatanidzwa kuti aone masisitimu eruzivo akakanganiswa nekusagadzikana kweLog4j uye kuisa zvigadziriso zvinovharira dambudziko.

Ukuwo, nhungamiro yakapiwa kusvikira December 28, umo masangano aiva nomusengwa wokushuma pamusoro pebasa rakaitwa. Kurerutsa kuzivikanwa kweanonetsa masisitimu, rondedzero yezvigadzirwa umo kuratidzwa kwekusagadzikana kwakasimbiswa kwakagadzirirwa (kune zvinopfuura zviuru makumi maviri nenhatu zvekushandisa muchirongwa).

Pakupedzisira, Zvakakodzera kutaura kuti kusazvibata kwakagadziriswa muLog4j 2.17 iyo yakaburitswa mazuva mashoma apfuura. uye vashandisi vane zvigadziriso zvakaremara vanokurudzirwa kuti vaite zvinoenderana, mukuwedzera kune chokwadi chekuti njodzi yekusagadzikana inodzikiswa nenyaya yekuti dambudziko rinongozviratidza pamasystem ane Java 8.

mabviro: https://logging.apache.org/


Izvo zviri muchinyorwa zvinoomerera pamisimboti yedu ye tsika dzekunyora. Kuti utaure chikanganiso tinya pano.

Iva wekutanga kutaura

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa.

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako