Home > Àüü±â»ç

2022³â¿¡µµ °è¼ÓµÇ´Â ·Î±×4j »çÅÂ... 3°¡Áö Ãë¾àÁ¡ Ãß°¡ °ø°³

ÀÔ·Â : 2022-01-23 23:15
ÆäÀ̽ººÏ º¸³»±â Æ®À§ÅÍ º¸³»±â ³×À̹ö ¹êµå º¸³»±â Ä«Ä«¿À ½ºÅ丮 º¸³»±â ³×À̹ö ºí·Î±× º¸³»±â
¾ÆÆÄÄ¡Àç´Ü, º¸¾È°øÁö ÅëÇØ CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 Ãë¾àÁ¡ °ø°³

[º¸¾È´º½º ¿øº´Ã¶ ±âÀÚ] ¾ÆÆÄÄ¡Àç´ÜÀÌ ·Î±×4j(Log4j)¿¡ ´ëÇÑ º¸¾È°øÁö¸¦ ¹ßÇ¥Çß´Ù. À̹ø °øÁö´Â CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 Ãë¾àÁ¡¿¡ ´ëÇÑ ³»¿ëÀ̸ç, Ãë¾àÁ¡Àº °¢°¢ JMSSink, JDBCAppender, Chainsaw ¸ðµâ¿¡ Á¸ÀçÇÑ´Ù.

¡ãApache Log4j º¸¾È°øÁö[À̹ÌÁö=º¸¾È´º½º ĸó]


CVE-2022-23302 : Apache log4j JMSSink ¿ªÁ÷·ÄÈ­ Ãë¾àÁ¡
°ø°ÝÀÚ°¡ Log4j ¼³Á¤¿¡ ´ëÇØ ¼öÁ¤ ±ÇÇÑÀ» °®°í Àְųª ±¸¼ºÀÌ °ø°ÝÀÚ°¡ ¿¢¼¼½ºÇÒ ¼ö ÀÖ´Â LDAP ¼­ºñ½º¸¦ ÂüÁ¶ÇÏ´Â °æ¿ì, ¸ðµç Log4j 1.x ¹öÀü Áß JMSSink°¡ µ¥ÀÌÅÍ ¿ªÁ÷·ÄÈ­¿¡ Ãë¾àÇÏ´Ù. °ø°ÝÀÚ´Â TopicConnectionFactoryBindingName ¼³Á¤À» Àü´ÞÇØ JMSSink·Î ÇÏ¿©±Ý JNDI request¸¦ ½ÇÇàÇϵµ·Ï ÇÒ ¼ö ÀÖ´Ù. ÀÌ´Â CVE-2021-4104¿Í À¯»çÇÑ ¹æ½ÄÀ¸·Î µ¿ÀÛÇÑ´Ù. ´Ù¸¸, ±âº»°ªÀÌ ¾Æ´Ñ JMSSink¸¦ »ç¿ëÇϵµ·Ï Ưº°È÷ ±¸¼ºµÈ °æ¿ì¿¡¸¸ Log4j 1.x ¹öÀü¿¡¼­ ÇØ´ç Ãë¾àÁ¡ÀÇ ¿µÇâÀ» ¹Þ´Â´Ù.

CVE-2022-23305: Apache log4j JDBCAppender SQLÀÎÁ§¼Ç Ãë¾àÁ¡
Log4j 1.2.x ÁßÀÇ JDBAppender´Â SQL¹®À» ¸Å°³º¯¼ö·Î Çã¿ëÇϸç, PatternLayoutÀÇ message converter´Â ÇØ´ç ÀԷ°ª¿¡ ´ëÇÑ °ËÁõÀ» ÁøÇàÇÏÁö ¾Ê¾Æ SQLÀÎÁ§¼Ç Ãë¾àÁ¡ÀÌ À¯¹ßµÈ´Ù. °ø°ÝÀÚ°¡ ÇØ´ç Ãë¾àÁ¡À» ¾Ç¿ëÇϸé ÀÀ¿ë ÇÁ·Î±×·¥ÀÇ ÀÔ·Â ÇÊµå ¶Ç´Â Çì´õ¿¡ Á¶ÀÛµÈ ¹®ÀÚ¿­À» ÀÔ·ÂÇÏ¿© ÀǵµÇÏÁö ¾ÊÀº SQL Äõ¸®¸¦ ½ÇÇàÇÒ ¼ö ÀÖ´Ù. ÇØ´ç Ãë¾àÁ¡Àº ±âº»°ªÀÌ ¾Æ´Ñ JDBCAppender¸¦ »ç¿ëÇϵµ·Ï Ưº°È÷ ±¸¼ºµÈ °æ¿ì¿¡¸¸ Log4j 1.x ¹öÀü¿¡¼­ ÇØ´ç Ãë¾àÁ¡ÀÇ ¿µÇâÀ» ¹Þ´Â´Ù.

CVE-2022-23307: Apache log4j Chainsaw ¿ªÁ÷·ÄÈ­ ÄÚµå½ÇÇà Ãë¾àÁ¡
Chainsaw v2´Â Log4jÀÇ XMLLayout Çü½ÄÀÇ ·Î±× ÆÄÀÏÀ» ÀÐÀ» ¼ö ÀÖ´Â GUI ±â¹ÝÀÇ ·Î±× ºä¾î´Ù. ÇØ´ç Ãë¾àÁ¡Àº Chainsaw¿¡ Á¸ÀçÇϸç, ÀÓÀÇÄÚµå ½ÇÇàÀ» Çã¿ëÇÏ´Â ¿ªÁ÷·ÄÈ­ Ãë¾àÁ¡À¸·Î, ÀÌ Ãë¾àÁ¡ ÀÌÀü¿¡ CVE-2021-9493·Î ¸í¸íµÆ´Ù.

¡â¿µÇâ ¹Þ´Â ¹öÀü
CVE-2022-23302 : Apache Log4j 1.x ¹öÀüÀÇ JMSSink
CVE-2022-23305 : JApache Log4j 1.x ¹öÀüÀÇ DBCAppender
CVE-2022-23307 : Apache Log4j 1.x¹öÀü ¹× Apache Chainsaw 2.1.0 ¹Ì¸¸ ¹öÀüÀÇ Chainsaw

¡âÆÐÄ¡¹æ¹ý
CVE-2022-23302 : Apache Log4j 2.x ¹öÀüÀ¸·Î ¾÷µ¥ÀÌÆ®
CVE-2022-23305 : Apache Log4j 2.x ¹öÀüÀ¸·Î ¾÷µ¥ÀÌÆ®
CVE-2022-23307 : Apache Log4j 2.x ȤÀº Apache Chainsaw 2.1.0 ¹öÀüÀ¸·Î ¾÷µ¥ÀÌÆ®
[¿øº´Ã¶ ±âÀÚ(boanone@boannews.com)]

<ÀúÀÛ±ÇÀÚ: º¸¾È´º½º(www.boannews.com) ¹«´ÜÀüÀç-Àç¹èÆ÷±ÝÁö>

  •  
  • 0
  • ÆäÀ̽ººÏ º¸³»±â Æ®À§ÅÍ º¸³»±â ³×À̹ö ¹êµå º¸³»±â Ä«Ä«¿À ½ºÅ丮 º¸³»±â ³×À̹ö ºí·Î±× º¸³»±â

  • ¡°
  •  SNS¿¡¼­µµ º¸¾È´º½º¸¦ ¹Þ¾Æº¸¼¼¿ä!! 
  • ¡±
¾Æ½ºÆ®·Ð½ÃÅ¥¸®Æ¼ ÆÄ¿öºñÁî 2023³â2¿ù23ÀÏ ½ÃÀÛ ³Ý¾Øµå ÆÄ¿öºñÁî ÁøÇà 2020³â1¿ù8ÀÏ ½ÃÀÛ~2021³â 1¿ù8ÀϱîÁö À§Áîµð¿£¿¡½º 2018
¼³¹®Á¶»ç
³»³â ȸ»ç¿¡ ²À µµÀÔÇÏ°í ½ÍÀº º¸¾È ¼Ö·ç¼Ç ¶Ç´Â Ç÷§ÆûÀº ¹«¾ùÀΰ¡¿ä?
XDR
EDR
AI º¸¾È
Á¦·ÎÆ®·¯½ºÆ®
°ø±Þ¸Á º¸¾È ü°è(SBOM)
Ŭ¶ó¿ìµå º¸¾È ¼Ö·ç¼Ç
±âŸ(´ñ±Û·Î)