Zviri Mukati[Viga][Ratidza]
Log4Shell, kusagadzikana kweinternet, nguva pfupi yadarika yakakanganisa mamirioni emakina. Log4j, isina kujeka asi ingangoita ubiquitous chidimbu chesoftware, inokonzeresa.
Log4j inoshandiswa kunyora zvese zvezviito zvinoitika kuseri kwezviitiko mumhando dzakasiyana dzemakomputa.
Iyo yakavakirwa payakavhurika-sosi yekutema matanda raibhurari iyo inoshandiswa nemabhizinesi uye kunyangwe masangano ehurumende mune akawanda maapplication.
Kuve imwe yeakaipisisa cyber kuchengetedza maburi ati ambofukurwa, zvakakosha kuchengetedza masisitimu ako kubva munjodzi iyi. Asi sei?
Ngationgororei Log4j kusagadzikana mune zvakadzama uye zvese zvinogoneka kugadzirisa mhinduro kwayo.
Chii chinonzi Log4j?
Log4j iri pachena-mabviro Kutema matanda kunoita kuti vanogadzira software vatore data rakasiyana mukati mekushandisa kwavo. Icho chikamu cheApache Logging Services purojekiti, iyo inofambiswa neiyo Apache Software Foundation.
Mazana emawebhusaiti uye maapplication anoshandisa Log4j kuita mashandiro akakosha senge data rekutema dhata rekugadzirisa uye kumwe kushandiswa.
Paunoisa kana kudzvanya pane isina kunaka online link uye wowana 404 chikanganiso chiziviso, uyu muenzaniso wenguva dzose weLog4j kubasa. Sevha yewebhu inomhanyisa dhomeini yewebhu link yawaedza kuwana inokuzivisa iwe kuti hapana peji rewebhu rakadaro. Iyo zvakare inonyora chiitiko muLog4j kune server's system administrator.
Mumapurogiramu ese esoftware, masaini ekuongorora akafanana anoshandiswa. Mumutambo wepamhepo Minecraft, semuenzaniso, sevha inoshandisa Log4j kunyora zviitiko senge yakazara RAM inoshandiswa uye mirairo yemushandisi inotumirwa mukoni.
Kusagadzikana kunoitika sei?
Lookups chinhu chitsva chakaunzwa muLog4j 2.0, iyo inobatsira kubatanidza rumwe ruzivo mune zvinyorwa zvelogi. Imwe yeaya lookups ndeye JNDI (Java Naming uye Directory Interface) yekutarisa, inova Java API yekutaurirana nedhairekitori sevhisi.
Uchishandisa nzira iyi, maID emukati emushandisi anogona kuvezwa kune chaiwo mazita evashandisi. Mubvunzo uyu unofumura ichangobva kuwanikwa RCE kusagadzikana, sezvo imwe yemhando yedata yakapihwa neLDAP server iri URI inonongedza kukirasi yeJava, iyo inozoiswa mundangariro uye inomhanya neiyo Log4j muenzaniso.
Nekuda kwekushaya simba muLog4j raibhurari yekusimbisa yekuisa, zvinokwanisika kubaya jekiseni sevha yeLDAP kubva kune isingavimbike. Nekuti vanogadzira vanofungidzira kuti data rakatumirwa kumatanda richabatwa semavara akajeka, hapana yekuwedzera yekusimbisa yekusimbisa inoitwa, uye ine njodzi mushandisi inopinza inopinda mumatanda.
Chirevo cherogi chinogona kutaridzika seizvi:
Mushandisi ane hutsinye angangoisa iyo JNDI yekutarisa ichitaura kune yakaonda LDAP sevha mune URL parameter. Iyo JNDI yekutarisa ingave inotevera:
Raibhurari yeLog4j inobva yataura neiyi LDAP server pa attacker.com kuti uwane ruzivo rwedhairekitori, kusanganisira kukosha kweJava Factory neJava Codebase.
Aya maitiro maviri anosanganisira murwi weJava kirasi, iyo inozoiswa mundangariro uye inoitwa neiyo Log4j muenzaniso, kupedzisa kodhi kuuraya.
Ndiani ari panjodzi?
Kusagadzikana kweLog4j kwakapamhama zvinoshamisa, kunokanganisa mashandisirwo ebhizinesi, midziyo yakamisikidzwa, uye masisitimu avo. Mapurogiramu akabatwa anosanganisira Cisco Webex, Minecraft, uye FileZilla FTP.
Zvisinei, iyi haisi rondedzero yose. Iko kukanganisa kunotokanganisa iyo Ingenuity Mars 2020 chopper mishoni, iyo inoshandisa Apache Log4j yekurekodha chiitiko.
Vekuchengetedzwa kwenharaunda vakanyora a rondedzero yeanotambura masisitimu. Izvo zvakakosha kuti uzive kuti rondedzero idzi dziri kuramba dzichivandudza, saka kana imwe chirongwa kana system isina kuratidzwa, usafunge kuti haina kukanganiswa.
Kuratidzwa kwekusagadzikana uku kunowanzoitika, uye kunyangwe kana yakananga tech stack haishandisi Java, vatariri vekuchengetedza vanofanirwa kutarisira zvakakosha supplier masisitimu, SaaS suppliers, cloud hosting providers, uye web server vanopa kuti vadaro.
Nzira yekutarisa sei Log4j kusagadzikana?
Danho rokutanga nderokuona kana kurwiswa kwakatoitika. Iwe unogona kuzviita nekutarisa matanda ehurongwa eRCE payload zvimedu.
Kana kutsvaga kwemazwi akaita se "jndi", "ldap", kana "$::" kukaburitsa chero matanda, vaongorori vezvekuchengetedza vanofanirwa kuongorora zvakanyanya kuti vaone kana kwaive kurwiswa kuri pamutemo kana kungonyora zvigunwe.
Kurwiswa kwakawanda musango kwakawanikwa kusina kuunza mibairo inokuvadza. Zvakadaro, zvakaitwa nenyanzvi dzezvekuchengetedza kuti vaone kuti vangani maapplication aive panjodzi yekurwiswa uku.
Nhanho inotevera ndeyekushandisa iyo Log4j raibhurari kuona mapurojekiti ese. Kana shanduro dziri pakati pe 2.0-beta9 ne 2.14.1 dzikashandiswa, chirongwa chinogona kutapukira.
Tichifunga nezve kuomerwa kwekuona kuti njodzi iyi iripo papi, zvingave zvakanaka kufunga kuti purojekiti inogona kuitika uye kuti kuvandudza raibhurari ndiyo nzira yakanaka yekuita kubvisa njodzi yekutevedzwa kwekodhi.
Iyo purojekiti haina njodzi kana iyo yakashandiswa vhezheni iri pasi pe2.0-beta 9, kunyangwe raibhurari yeLog4j ichiri kufanira kuvandudzwa nekuti mavhezheni ari muchikamu che1.x asakara uye haachawana zvigadziriso.
Kunyangwe purojekiti inokonzeresa yawanikwa, inorairwa kuti itariswe kuona kana chero ruzivo rwakaiswa uchishandisa Log4j ine ruzivo rwunogona kuchinjwa nemushandisi. Ma URL, ma paramita ekukumbira, misoro, uye makuki mienzaniso yeiyi data. Kana imwe yeiyi ikarogwa, purojekiti iri munjodzi.
Ruzivo urwu runogona kukubatsira mukuongorora kumberi mune matanda ehurongwa uye kuona kana webhu application yako yatorwiswa.
Kune emahara maturusi epamhepo anogona kuona kana webhu application iri panjodzi. Imwe yemapurogiramu aya Log4Shell muvhimi. Iyo yakavhurika-sosi uye inowanikwa pa GitHub.
Kana nzvimbo isina njodzi yekodhi mukushandisa pamhepo ikaonekwa, mubhadharo wakapihwa nechombo chakaburitswa unogona kushandiswa kuipinza muwebhu application. Chishandiso chekuyedza chinoburitsa mabatiro akaitwa pakati pewebhu application yako neLDAP server yavo kana kusazvibata kwakashandiswa.
Mhinduro dzekugadzirisa Log4j kusagadzikana
Danho rekutanga nderekuvandudza Log4j, iyo yaunogona kuita nekushandisa yakajairwa mapakeji maneja kana nekuirodha pasi zvakananga kubva pane izvi. peji.
Zvinogoneka zvakare kudzikisira kushandiswa kwekusagadzikana nekuisa nharaunda inoshanduka FORMAT MSG HAPANA ZVINOTAURWA kuita chokwadi. Iyi countermeasure, zvisinei, inongoshanda kune Log4j shanduro huru kupfuura kana yakaenzana ne2.10.
Iye zvino ngatifungei dzimwe nzira dzokusarudza nadzo.
1. Mashandiro eLog4j shanduro 2.17.0
Zvinonyatso kurairwa kushandisa Log4j vhezheni 2.15.0 kudzivirira kubva kuLog4Shell, zvisinei, kana izvi zvisingaite, dzimwe mhinduro dziripo.
Shanduro 2.7.0 uye gare gare yeLog4j: Izvo zvinogoneka kudzivirira pane chero kurwiswa nekushandura fomati yezviitiko kuti zvinyorwe uchishandisa iyo muzana m nolookups syntax yedata rinopihwa nemushandisi. Ichi chigadziriso chinoda kugadzirisa iyo Log4j yekumisikidza faira kuti ibudise vhezheni itsva yechirongwa. Nekuda kweizvozvo, usati watumira iyi vhezheni itsva, iyo tekinoroji uye inoshanda yekusimbisa matanho inofanirwa kudzokororwa.
Log4j shanduro 2.10.0 uye gare gare: Zvinogonekawo kudzivirira kurwiswa kupi zvako nekuisa iyo log4j2.formatMsgNoLookups configuration parameter kuti iite chokwadi, semuenzaniso, paunotanga Java virtual muchina ne -Dlog4j2 sarudzo. formatMsgNoLookups = chokwadi, Imwe sarudzo ndeyekubvisa JndiLookup kirasi kubva muclasspath nharo, iyo inobvisa iyo huru yekurwisa vector (vatsvakurudzi havabvisi mukana weimwe kurwisa vector).
Amazon Web Services inopa hotpatch iyo "inofanira kushandiswa panjodzi yako." Mamwe "matekinoroji," akadai seLogout4Shell, iyo "inoshandisa kusadzikama uku ichizvipikisa," yakaburitswa. Nyanzvi yezvekuchengetedza inobvunza kuve pamutemo kwekufamba uku, kunosanganisira "kubira muchina kuti ugadzirise."
2. Dambudziko rakagadziriswa muLog4j v2.17.0.
Kune shanduro dzinopfuura 2.10: Log4j2.formatMsgNoLookups inofanira kuiswa kuti ichokwadi.
Kune shanduro 2.0 kusvika 2.10.0: Mhanya unotevera kuraira kuti ubvise LDAP kirasi kubva Log4j.
Log4j2.formatMsgNoLookups inofanira kusetwa kuti ive chokwadi muzvirongwa zvehurongwa.
Mitigation muJVM
Kuderedza neJVM paramita haisisiri sarudzo. Dzimwe nzira dzekudzikisa dzinoramba dzichibudirira. Simudzira kuLog4j vhezheni 2.17.0 kana zvichibvira. Pane gwara rekufambisa rinowanikwa reLog4j v1.
Kana imwe update isingagoneki, ita shuwa kuti maclient-side and server-side components ane -Dlog4j2.formatMsgNoLookups = true system property set.
Ndokumbira utarise kuti Log4j v1 yasvika kumagumo ehupenyu (EOL) uye haichagashira kugadzirisa kwebug. Mamwe maRCE vectors anotarirwawo neLog4j v1. Saka, tinokukurudzira kuti uvandudze kuLog4j 2.17.0 nekukasira.
3. Matanho ekuderedza
Zvibatiso zvazvino hazvigone kushanda kunyangwe Log4j ichibatikana mune dzimwe nguva, senge muchina wekugamuchira uri kushandisa Java vhezheni yepamusoro kupfuura 6u212, 7u202, 8u192, kana 11.0.2.
Izvi zvinokonzerwa nani Java Naming uye Directory Interface (JNDI) kure kirasi kurodha dziviriro mune dzazvino shanduro, izvo zvinodiwa kuti kurwisa kushande.
Uyezve, neshanduro dzeLog4j dzakakura kudarika 2.10, nyaya inogona kudziviswa nekuisa kukosha kweMsgNoLookups system kuchokwadi, kupa JVM nharo -Dlog4j2.formatMsgNoLookups = chokwadi, kana kudzima kirasi yeJndiLookup kubva mukirasi.
Zvichakadaro, kudzamara mamiriro enjodzi agadziriswa, kusagadzikana kunogona kugadziriswa uchishandisa matekiniki ari pasi apa:
- Seta iyo system property log4j2.formatMsgNoLookups kuti ive chokwadi kune >=2.10.
- Seta iyo sarudzo yezvakatipoteredza LOG4J FORMAT MSG HAPANA KUSVIRWA kune chokwadi kune > = 2.10.
- Bvisa JndiLookup.class kubva munzira yekirasi ye2.0-beta9 kusvika 2.10.0: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Imwe inokurudzirwa kuita yakanakisa kudzikamisa egress traffic kune internet kune akakodzera madoko chete.
Kunyangwe kurwiswa kwakawanda mumunda kuchiunzwa pamusoro peHTTP, kusazvibata kunogona kushandiswa kuburikidza nechero protocol inodhinda data rekuisa mushandisi uchishandisa Log4j.
Nekudaro, kugadzirisa kulog4j 2.17.0 ndiyo mushonga wakanakisa nekuti mumwe munhu anogona kuwana imwe nzira kunyaya. Uyezve, vazhinji vevaparidzi nevagadziri vakazivisa kuvandudzwa kwesevhisi yavo kana maapplication.
4. Log4Shell vulnerability chigamba
Log4j iri kwese kwese, kunyanya iko zvino sezvo kusagadzikana kuri kushandiswa. Kupfupisa, zvese zvaunoda kuti uite zvinosanganisira mavara anotevera mumatanda akaongororwa naLog4j.
Uye izvi zvichadhawunirodha uye kuita iyo Java faira iri kumagumo eURL. Zvakananga sezvazviri zvinoshamisa.
Sezvaunoziva, zvakakosha kukwidziridza log4j kushanduro>= 2.17.0 kugadzirisa iyi Log4Shell kusagadzikana (CVE-2021-44228).
Kana izvi zvisingaite:
Pazvishandiso zvinoshandisa Log4j raibhurari shanduro 2.10.0 uye gare gare, zvinogonekawo kudzivirira kurwiswa kupi zvako nekuisa configuration parameter log4j2.formatMsgNoLookups kuti ichokwadi, semuenzaniso, uchitanga Java virtual muchina ne -Dlog4j2.formatMsgNoLookups = chokwadi sarudzo.
Imwe sarudzo ndeyekudzima iyo JndiLookup kirasi kubva muclasspath nharo, iyo inobvisa yekutanga kurwisa vector (vatsvaguri havabvise kuvepo kweimwe yekurwisa vector).
chitsamba
Masangano anozeza kana kusada kugadzirisa masisitimu anokanganisa (kana vanoshuvira kuisa mamwe kuchengetedzwa) vanofanirwa kufunga nezve:
- Ita shuwa kuti traffic yese inofambiswa kuburikidza neSensor/waff/IPS. Izvi zvinogona kudzivirira kurwiswa kubva kuwana mukana kune system.
- Kudzikamisa huwandu hwetraffic inogona kusvika kune inotapukira sisitimu Kana iyo system isingade kuve yakabatana neinternet, rambidza kupinda kune yakakosha uye yakavimbika IPS nemasara.
- Kuderedza traffic yakatenderwa neanotambira inobuda. Nekuti kurwiswa uku kunoshanda nekubatanidza kune hutsinye sevha, ese akawandisa IP kero uye madoko anofanirwa kuvharirwa pane firewall.
- Kana iyo sevhisi isingachadiwi, inofanirwa kuvharwa kusvika kugadzirisa kwagadzirira.
mhedziso
Kukanganisa kweLog4j kwakakatyamadza nharaunda yedu ndokutiyeuchidza tese kuti tinovimba sei ne-open-source software.
Log4j yakasiyana. Haisi sisitimu yekushandisa, kana browser, kana software. Asi, ndizvo zvinorehwa nevagadziri seraibhurari, pasuru, kana kodhi module. Inongoshanda chinangwa chimwe chete, ndiko kuti, kuchengeta rekodhi yezvinoitika pane server.
Vanhu vanonyora kodhi vanofarira kuisa pfungwa pane izvo zvinoita kuti software yavo ive mutsauko. Havasi kufarira kudzorerazve vhiri. Nekuda kweizvozvo, vanovimba nehuwandu hwemaraibhurari ekodhi aripo, senge Log4j.
Iyo Log4j module inotorwa kubva kuApache, iyo inonyanya kushandiswa yewebhu server software. Ndokusaka ichigona kuwanikwa pamamiriyoni emaseva. Nokudaro, kuwedzera kutyisidzira kwekuchengeteka.
Ndinovimba mhinduro dziri pamusoro dzinokubatsira kuchengetedza zvishandiso zvako.
Ramba wakatarisa kuHashDork kuti uwane rumwe ruzivo runobatsira kubva kune tech nyika.
Leave a Reply