Isiqephu esiphuthumayo sokuba sengozini okudumile kumtapo wezincwadi we-Java Log4j akuwona ubuwula. I-Apache Software Foundation ikhulula inguqulo entsha yokulungisa ubungozi unomphela.
Ukuba sengozini kulabhulali edume kakhulu ye-Java kuzamazamisa isimo se-IT somhlaba wonke. Kulinganiselwa ukuthi umtapo wolwazi ukhona ezindaweni eziningi zezinkampani.
I-Log4j isetshenziselwa kakhulu ukugawula. Imicimbi ekuzicelo ingabhaliswa ngamanothi. Cabanga ngokuphrinta kwemininingwane yokungena ngemva komzamo wokungena ngemvume. Noma, esimweni sohlelo lwewebhu ku-Java, igama lesiphequluli umsebenzisi azama ukuxhuma kuso.
Izibonelo zokugcina zivamile. Kuzo zombili izimo, umsebenzisi wangaphandle uthonya ilogu ekhishwa yi-Log4j. Kungenzeka ukusebenzisa kabi lelo thonya. Amalogu anoma iyiphi inguqulo ye-Log4j phakathi komhla ka-Septhemba 13, 2013 no-Disemba 5, 2021 ayakwazi ukuyala izinhlelo zokusebenza ze-Java ukuthi zisebenzise ikhodi kusukela kuseva ekude kudivayisi yasendaweni.
Kusukela ngo-2013, i-Log4j ibicubungula i-API: JNDI, noma i-Java Naming and Directory Interface. Ukwengezwa kwe-JNDI kuvumela uhlelo lwe-Java ukuthi lusebenzise ikhodi kusuka kuseva ekude kudivayisi yasendaweni. Abahleli bohlelo bayafundisa ngokwengeza umugqa owodwa wemininingwane mayelana neseva ekude kuhlelo lokusebenza.
Inkinga ukuthi akubona kuphela abahleli bezinhlelo abakwazi ukwengeza umthetho ezinhlelweni zokusebenza. Ake sithi i-Log4j ifaka amagama omsebenzisi wemizamo yokungena. Uma othile efaka umugqa oshiwo ngenhla endaweni yegama lomsebenzisi, i-Log4j iqhuba umugqa futhi uhlelo lokusebenza lwe-Java luhumusha umyalo wokusebenzisa ikhodi kuseva eshiwo. Okufanayo kuya ezimweni lapho i-Log4j ifaka isicelo se-HTTPS. Uma ushintsha igama lesiphequluli emugqeni, i-Log4j iqhuba umugqa, iwuyalela ngokungaqondile ukuthi usebenzise ikhodi ngendlela efunwa ngayo.
Isiqephu esiphuthumayo singase singaphephi
NgoDisemba 9, ukuba sengozini kwavela ngezinga elikhulu. I-Apache Software Foundation, unjiniyela we-Log4j, ikhiphe isichibiyelo esiphuthumayo (2.15) ukuze silungise ukuba sengozini. Kusukela lapho, kube yinto ehamba phambili kubathengisi be-software ukucubungula inguqulo 2.15 futhi banikeze isiqeshana sezinhlangano.
Kodwa-ke, inhlangano yezokuphepha i-LunaSec ithi lesi siqeshana asinamanzi ngokuphelele. Kuhlala kungenzeka ukulungisa ukulungiselelwa kanye nokungena ngemvume kwe-JNDI imiyalo.
Sicela uqaphele: ukulungiselelwa okuhlobene kufanele kulungiswe mathupha, ukuze okuhlukile okungashintshiwe okungu-2.15 kuphephe ngempela. Noma kunjalo, i-Luna Sec incoma ukuthi abahlinzeki nezinhlangano zibuyekezele ku-Log4j 2.16. 2.16 ishicilelwe i-Apache Software Foundation iphendula i-LunaSec. Inguqulo entsha isusa ngokuphelele ukulungiselelwa okusengozini, ikwenze kungenzeki ukudala izimo zokuhlukumeza.