English
¢¸¢· µÚ·Î
Ãë¾àÁ¡ID 14263
À§Çèµµ 40
Æ÷Æ® 22
ÇÁ·ÎÅäÄÝ TCP
ºÐ·ù LSC
»ó¼¼¼³¸í ¿ø°Ý È£½ºÆ®¿¡ Apache Log4j2 <=2.14.1 ¹öÀüÀÌ ¼³Ä¡µÇ¾î ÀÖ´Ù.
Apache Log4j2 <=2.14.1 ¹öÀüÀÇ ±¸¼º, ·Î±× ¸Þ½ÃÁö ¹× ¸Å°³º¯¼ö¿¡ »ç¿ëµÇ´Â JNDI ±â´ÉÀº °ø°ÝÀÚ°¡ Á¦¾îÇÏ´Â LDAP ¹× ±âŸ JNDI °ü·Ã ¿£µåÆ÷ÀÎÆ®·ÎºÎÅÍ º¸È£ÇÏÁö ¾Ê½À´Ï´Ù. ·Î±× ¸Þ½ÃÁö ¶Ç´Â ·Î±× ¸Þ½ÃÁö ¸Å°³º¯¼ö¸¦ Á¦¾îÇÒ ¼ö ÀÖ´Â °ø°ÝÀÚ´Â ¸Þ½ÃÁö Á¶È¸ ´ëü°¡ È°¼ºÈ­µÈ °æ¿ì LDAP ¼­¹ö¿¡¼­ ·ÎµåµÈ ÀÓÀÇÀÇ Äڵ带 ½ÇÇàÇÒ ¼ö ÀÖ½À´Ï´Ù.

log4j 2.15.0ºÎÅÍ ÀÌ µ¿ÀÛÀº ±âº»ÀûÀ¸·Î ºñÈ°¼ºÈ­µÇ¾î ÀÖ½À´Ï´Ù. ÀÌÀü ¸±¸®½º(>2.10)¿¡¼­´Â ½Ã½ºÅÛ ¼Ó¼º "log4j2.formatMsgNoLookups"¸¦ "true"·Î ¼³Á¤Çϰųª Ŭ·¡½º °æ·Î¿¡¼­ JndiLookup Ŭ·¡½º¸¦ Á¦°ÅÇÏ¿© ÀÌ µ¿ÀÛÀ» ¿ÏÈ­ÇÒ ¼ö ÀÖ½À´Ï´Ù(¿¹: zip -q -d log4j-core-*.jar org /apache/logging/log4j/core/lookup/JndiLookup.class).

Java 8u121(https://www.oracle.com/java/technologies/javase/8u121-relnotes.html ÂüÁ¶)Àº "com.sun.jndi.rmi.object.trustURLCodebase" ¹× "com.sun.jndi.rmi.object.trustURLCodebase"¸¦ ±âº»°ªÀ¸·Î ¼³Á¤ÇÏ°í, sun.jndi.cosnaming.object.trustURLCodebase"¸¦ "false"·Î º¯°æÇÏ¿© ¿ø°Ý ÄÚµå ½ÇÇàÀ» ¹æÁöÇÕ´Ï´Ù.

* ¾Ë¸²: ÀÌ Á¡°ËÇ׸ñÀº Á¡°ËÇϱâ À§ÇÑ È£½ºÆ®·Î ·Î±×ÀÎ ÇÒ ¼ö ÀÖ´Â °ü¸®ÀÚ ±ÇÇÑÀ» °¡Áø °èÁ¤À» ÇÊ¿ä·Î ÇÑ´Ù. ÀÌ·¯ÇÑ Á¶°ÇÀÌ ¾ÈµÇ¸é Á¡°ËÀ» ¼öÇàÇÒ ¼ö ¾øÀ¸¸ç ¸ðµç Ãë¾àÇÑ È£½ºÆ®µé¿¡ ´ëÇؼ­ °ÅÁþ À½¼º¹ÝÀÀ(False Negative)À» º¸ÀÏ ¼ö ÀÖ´Ù.

* Âü°í »çÀÌÆ®:
http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html
http://www.openwall.com/lists/oss-security/2021/12/10/1
http://www.openwall.com/lists/oss-security/2021/12/10/2
http://www.openwall.com/lists/oss-security/2021/12/10/3
http://www.openwall.com/lists/oss-security/2021/12/13/1
http://www.openwall.com/lists/oss-security/2021/12/13/2
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/
https://logging.apache.org/log4j/2.x/security.html
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
https://security.netapp.com/advisory/ntap-20211210-0007/
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
ÇØ°áÃ¥ log4j À¥ »çÀÌÆ®ÀÎ https://logging.apache.org/log4j/ ¿¡¼­ ±¸ÇÒ ¼ö ÀÖ´Â log4j ÀÇ °¡Àå ÃֽŠ¹öÀü(2.15.0 ȤÀº ÀÌÈÄ)À¸·Î ¾÷±×·¹À̵å ÇÏ¿©¾ß ÇÑ´Ù.
°ü·Ã URL CVE-2021-44228 (CVE)
°ü·Ã URL (SecurityFocus)
°ü·Ã URL (ISS)