Indawo kaxakeka yokuba sesichengeni esidumileyo kwilayibrari yeJava Log4j ayibobudenge. I-Apache Software Foundation ikhupha inguqulelo entsha ukulungisa ubuthathaka kube kanye.
Ukuba semngciphekweni kwithala leencwadi elidumileyo leJava kushukumisa imbonakalo ye-IT yehlabathi. Kuqikelelwa ukuba ithala leencwadi likho kwiindawo ezininzi zeshishini.
I-Log4j isetyenziselwa ukuloga. Iziganeko kwizicelo zingabhaliswa ngamanqaku. Cinga ngoshicilelo lweenkcukacha zokungena emva kokuzama ukungena. Okanye, kwimeko yesicelo sewebhu kwiJava, igama lesikhangeli umsebenzisi uzama ukuxhuma kuso.
Le mizekelo yokugqibela ixhaphakile. Kuzo zombini iimeko, umsebenzisi wangaphandle uphembelela ilog ethi Log4j iphume. Kunokwenzeka ukusebenzisa kakubi loo mpembelelo. Iilogi zalo naluphi na uhlobo lwe-Log4j phakathi kwe-13 kaSeptemba 2013 kunye noDisemba 5, 2021 ziyakwazi ukuyalela izicelo zeJava ukuba ziqhube ikhowudi kwiseva ekude kwisixhobo sendawo.
Ukususela ngo-2013, i-Log4j iqhubekisa i-API: i-JNDI, okanye i-Java Naming kunye ne-Directory Interface. Ukongezwa kwe-JNDI kuvumela isicelo seJava ukuba siqhube ikhowudi kwi-server ekude kwisixhobo sendawo. Abadwelisi beprogram bayala ngokongeza umgca omnye weenkcukacha malunga neseva ekude kwisicelo.
Ingxaki kukuba ayingobadwelisi benkqubo kuphela abakwaziyo ukongeza umthetho kwizicelo. Masithi i-Log4j ifake amagama omsebenzisi wemizamo yokungena. Xa umntu efaka umgca okhankanywe ngasentla kwibala lomsebenzisi, i-Log4j iqhuba umgca kwaye isicelo seJava sitolika umyalelo wokuqhuba ikhowudi kwiseva ekhankanyiweyo. Okufanayo kuya kwiimeko apho i-Log4j ifaka isicelo se-HTTPS. Ukuba utshintsha igama lomkhangeli zincwadi kumgca, i-Log4j iqhuba umgca, iyalela ngokungathanga ngqo ukuba iqhube ikhowudi njengoko ifunwa.
Indawo engxamisekileyo nayo inokungakhuseleki
Ngomhla we-9 kaDisemba, ubuthathaka babonakala ngomlinganiselo omkhulu. I-Apache Software Foundation, umphuhlisi we-Log4j, ukhuphe i-patch engxamisekileyo (2.15) ukulungisa ubuthathaka. Ukusukela ngoko, ibiyeyona nto iphambili kubathengisi besoftware ukuba baqhubeke nenguqulo 2.15 kwaye babonelele ngesiqwengana semibutho.
Nangona kunjalo, umbutho wezokhuseleko uLunaSec uthi isiqwenga asinamanzi ngokupheleleyo. Kuhlala kusenzeka ukunyenyisa isicwangciso kunye nokuloga kwemiyalelo ye-JNDI iphunyeziwe.
Nceda uqaphele: ukusetwa okufanelekileyo kufuneka kuhlengahlengiswe ngesandla, ukwenzela ukuba iinguqu ezingalungiswanga ze-2.15 zikhuselekile ngokwenene. Nangona kunjalo, uLuna Sec ucebisa ukuba ababoneleli kunye nemibutho bahlaziye kwi-Log4j 2.16. I-2.16 ipapashwe yi-Apache Software Foundation ekuphenduleni i-LunaSec. Uguqulelo olutsha lususa ngokupheleleyo ubume obusengozini, okwenza kube nzima ukwenza iimeko zokuxhatshazwa.