Okuqukethwe[Fihla][Bonisa]
Ekupheleni kukaNovemba 2021, sathola usongo olukhulu ekuvikelekeni kwe-inthanethi. Lokhu kuxhaphaza kungase kuthinte izigidi zezinhlelo zamakhompiyutha emhlabeni wonke.
Lona umhlahlandlela wokuba sengozini kwe-Log4j kanye nokuthi iphutha ledizayini elinganakiwe lishiye ngaphezu kuka-90% wezinsizakalo zekhompyutha zomhlaba zivulekele ukuhlasela.
I-Apache Log4j iyisisetshenziswa sokungena esisekelwe ku-Java esisekelwe kumthombo ovulekile esakhiwe yi-Apache Software Foundation. Ekuqaleni eyabhalwa u-Ceki Gülcü ngo-2001, manje isiyingxenye ye-Apache Logging Services, iphrojekthi ye-Apache Software Foundation.
Izinkampani emhlabeni jikelele zisebenzisa umtapo wezincwadi we-Log4j ukunika amandla ukungena ezinhlelweni zazo. Eqinisweni, umtapo wezincwadi we-Java ukhona yonke indawo, ungawuthola ezinhlelweni zokusebenza ezivela ku-Amazon, Microsoft, Google, nokunye.
Ukuvelela komtapo wolwazi kusho ukuthi noma iliphi iphutha elingase libe khona kukhodi lingashiya izigidi zamakhompuyutha zivulekele ukugetshengwa. NgoNovemba 24, 2021, a ukuphepha kwefu Umcwaningi osebenzela i-Alibaba uthole iphutha elibi.
Ukuba sengozini kwe-Log4j, okwaziwa nangokuthi i-Log4Shell, bekukhona kungaziwa kusukela ngo-2013. Ukuba sengozini kuvumele abadlali abanonya ukuthi basebenzise ikhodi kumasistimu athintekile asebenzisa i-Log4j. Kwadalulwa esidlangalaleni ngomhla ka-9 Disemba 2021
Ochwepheshe bemboni babiza i-Log4Shell flaw the ubungozi obukhulu kunkumbulo yakamuva.
Evikini elilandela ukushicilelwa kokuba sengozini, amaqembu ezokuphepha ku-inthanethi athole izigidi zokuhlaselwa. Abanye abacwaningi baze babona izinga lokuhlasela okungaphezu kwekhulu ngomzuzu.
Isebenza kanjani?
Ukuze siqonde ukuthi kungani i-Log4Shell iyingozi kangaka, sidinga ukuqonda ukuthi ikwazi ukwenzani.
Ukuba sengozini kwe-Log4Shell kuvumela ukwenziwa kwekhodi okunganasizathu, okusho ukuthi umhlaseli angasebenzisa noma yimuphi umyalo noma ikhodi emshinini oqondiwe.
Ikufeza kanjani lokhu?
Okokuqala, sidinga ukuqonda ukuthi iyini i-JNDI.
I-Java Naming and Directory Interface (JNDI) iyisevisi ye-Java evumela izinhlelo ze-Java ukuthi zithole futhi zibheke idatha nezisetshenziswa ngegama. Lezi zinsizakalo zohla lwemibhalo zibalulekile ngoba zinikeza isethi ehleliwe yamarekhodi ukuze onjiniyela bawabhekise kalula lapho bedala izinhlelo zokusebenza.
I-JNDI ingasebenzisa amaphrothokholi ahlukahlukene ukuze ifinyelele uhla lwemibhalo oluthile. Enye yalezi zinqubo yi-Lightweight Directory Access Protocol, noma i-LDAP.
Lapho ugawula intambo, Ilogi4j yenza ukushintshaniswa kweyunithi yezinhlamvu uma ehlangabezana nezinkulumo zefomu ${prefix:name}
.
Ngokwesibonelo, Text: ${java:version}
ingase ifakwe njengombhalo: Java version 1.8.0_65. Lezi zinhlobo zokushintshwa zivamile.
Singaphinde sibe nezisho ezinjengokuthi Text: ${jndi:ldap://example.com/file}
esebenzisa uhlelo lwe-JNDI ukulayisha into ye-Java kusuka ku-URL ngephrothokholi ye-LDAP.
Lokhu kulayisha ngempumelelo idatha evela kuleyo URL emshinini. Noma yimuphi umgebengu onamandla angabamba ikhodi enonya ku-URL esesidlangalaleni futhi alinde imishini esebenzisa i-Log4j ukuyiloga.
Njengoba okuqukethwe kwemilayezo yelogi kuqukethe idatha elawulwa umsebenzisi, izigebengu ze-inthanethi zingafaka izinkomba zazo ze-JNDI ezikhomba kumaseva e-LDAP abawalawulayo. Lawa maseva e-LDAP angagcwala izinto ze-Java ezinonya i-JNDI engakwazi ukuzisebenzisa ngokuba sengozini.
Okwenza lokhu kube kubi kakhulu ukuthi akunandaba ukuthi uhlelo lokusebenza luwuhlangothi lweseva noma luwuhlangothi lweklayenti.
Inqobo nje uma kunendlela yokuthi umgawuli afunde ikhodi enonya yomhlaseli, uhlelo lokusebenza lusavulekele ukuxhaphaza.
Ubani othintekayo?
Ukuba sengozini kuthinta zonke izinhlelo namasevisi asebenzisa i-APache Log4j, enezinguqulo ezingu-2.0 kufika futhi ezifaka 2.14.1.
Ochwepheshe abambalwa bezokuphepha bayeluleka ukuthi ukuba sengozini kungase kuthinte inani lezinhlelo zokusebenza ezisebenzisa i-Java.
Iphutha latholwa okokuqala emdlalweni wevidiyo weMinecraft ophethwe yiMicrosoft. I-Microsoft inxuse abasebenzisi bayo ukuthi bathuthukise isofthiwe yabo ye-Java edition Minecraft ukuvimbela noma iyiphi ingozi.
UJen Easterly, uMqondisi weCybersecurity and Infrastructure Security Agency (CISA) uthi abathengisi bane umthwalo omkhulu ukuvimbela abasebenzisi bokugcina kusukela kubadlali abanonya abasebenzisa lobu bungozi.
"Abathengisi kufanele futhi baxhumane namakhasimende abo ukuze baqinisekise ukuthi abasebenzisi bokugcina bayazi ukuthi umkhiqizo wabo uqukethe lobu bungozi futhi kufanele ubeke phambili ukuvuselelwa kwesoftware."
Kubikwa ukuthi ukuhlasela sekuqalile. I-Symantec, inkampani ehlinzeka ngesofthiwe ye-cybersecurity, ibone inani elihlukahlukene lezicelo zokuhlasela.
Nazi ezinye izibonelo zezinhlobo zokuhlasela ezitholwe abacwaningi:
- botnets
I-Botnets inethiwekhi yamakhompuyutha angaphansi kolawulo lweqembu elilodwa elihlaselayo. Basiza ukwenza ukuhlasela kwe-DDoS, ukweba idatha, neminye imikhonyovu. Abacwaningi babone i-botnet ye-Muhstik kumaskripthi egobolondo alandwe ku-Log4j exploit.
- I-XMRig Miner Trojan
I-XMRig iwumthombo ovulekile wezimayini we-cryptocurrency osebenzisa ama-CPU ukumba ithokheni ye-Monero. Izigebengu ze-Cybercriminal zingafaka i-XMRig emishinini yabantu ukuze bakwazi ukusebenzisa amandla abo okucubungula ngaphandle kolwazi lwabo.
- I-Khonsari Ransomware
I-Ransomware isho uhlobo lohlelo olungayilungele ikhompuyutha oluklanyelwe bethela amafayela kukhompuyutha. Abahlaseli bangase bafune inkokhelo ukuze banikeze ukufinyelela kumafayela abethelwe. Abacwaningi bathole i-Khonsari ransomware ekuhlaselweni kwe-Log4Shell. Baqondise amaseva e-Windows futhi basebenzisa uhlaka lwe-.NET.
Kwenzekani ngokulandelayo?
Ochwepheshe babikezela ukuthi kungase kuthathe izinyanga noma mhlawumbe ngisho neminyaka ukulungisa ngokugcwele isiphithiphithi esilethwe ukuba sengozini kwe-Log4J.
Le nqubo ibandakanya ukubuyekeza yonke isistimu ethintekile ngenguqulo efakwe nezichibi. Noma ngabe zonke lezi zinhlelo zibhaciwe, kusekhona usongo oluzayo lwezigebengu ezingaba khona okungenzeka ukuthi sezivele zizingezile efasiteleni iziphakeli ebezivulekele ukuhlaselwa.
Abaningi izixazululo kanye nokunciphisa ikhona ukuze uvimbele izinhlelo zokusebenza ukuthi zingaxhashazwa yilesi siphazamisi. Inguqulo entsha ye-Log4j engu-2.15.0-rc1 iguqule izilungiselelo ezihlukene ukuze kwehliswe lobu sengozini.
Zonke izici ezisebenzisa i-JNDI zizokhutshazwa ngokuzenzakalela futhi ukubheka okukude nakho kukhawulelwe. Ukukhubaza isici sokubheka ekusetheni kwakho kwe-Log4j kuzosiza ukwehlisa ubungozi bokuxhaphaza okungenzeka.
Ngaphandle kwe-Log4j, kusenesidingo sohlelo olubanzi lokuvimbela ukuxhashazwa kwemithombo evulekile.
Ngaphambilini ngoMeyi, i-White House yakhipha incwadi ukuhleleka obekuhloswe ngaso ukuthuthukisa ukuphepha ku-inthanethi kuzwelonke. Yayihlanganisa umbandela we-software bill of materials (SBOM) okwakuwumbhalo osemthethweni owawuqukethe uhlu lwazo zonke izinto ezidingekayo ukuze kwakhiwe isicelo.
Lokhu kuhlanganisa izingxenye ezifana ne- umthombo ovulekile amaphakheji, okuncikile, nama-API asetshenziselwa ukuthuthukiswa. Nakuba umqondo wama-SBOM uwusizo ekukhanyeni, ingabe uzosiza ngempela umthengi?
Ukuthuthukisa ukuncika kungase kube nzima kakhulu. Izinkampani zingavele zikhethe ukukhokha noma yiziphi izinhlawulo kunokuba zibeke engcupheni yokumosha isikhathi esengeziwe ngokuthola amanye amaphakheji. Mhlawumbe lawa ma-SBOM azoba usizo kuphela uma ekhona ububanzi kunqunyelwe okwengeziwe.
Isiphetho
Udaba lwe-Log4j lungaphezu nje kwenkinga yezobuchwepheshe yezinhlangano.
Abaholi bamabhizinisi kufanele baqaphele ubungozi obungaba khona lapho amaseva, imikhiqizo, noma izinsiza zabo zithembele kukhodi bona ngokwabo abangayigcini.
Ukuthembela kumthombo ovulekile kanye nezinhlelo zokusebenza zezinkampani zangaphandle kuhlala kufika nenani elithile lobungozi. Izinkampani kufanele zicabangele ukusebenzisa amasu okunciphisa ubungozi ngaphambi kokuthi kuvele izinsongo ezintsha.
Iwebhu eningi incike kwisofthiwe yomthombo ovulekile enakekelwa izinkulungwane zamavolontiya emhlabeni jikelele.
Uma sifuna ukugcina iwebhu iyindawo ephephile, ohulumeni nezinkampani kufanele batshale imali ekuxhaseni ngezimali imizamo yomthombo ovulekile kanye nama-ejensi wezokuphepha ku-inthanethi njenge I-CISA.
shiya impendulo