¾ÆÆÄÄ¡Àç´Ü, º¸¾È°øÁö ÅëÇØ CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 Ãë¾àÁ¡ °ø°³
[º¸¾È´º½º ¿øº´Ã¶ ±âÀÚ] ¾ÆÆÄÄ¡Àç´ÜÀÌ ·Î±×4j(Log4j)¿¡ ´ëÇÑ º¸¾È°øÁö¸¦ ¹ßÇ¥Çß´Ù. À̹ø °øÁö´Â CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 Ãë¾àÁ¡¿¡ ´ëÇÑ ³»¿ëÀ̸ç, Ãë¾àÁ¡Àº °¢°¢ JMSSink, JDBCAppender, Chainsaw ¸ðµâ¿¡ Á¸ÀçÇÑ´Ù.
CVE-2022-23302 : Apache log4j JMSSink ¿ªÁ÷·ÄÈ Ãë¾àÁ¡
°ø°ÝÀÚ°¡ Log4j ¼³Á¤¿¡ ´ëÇØ ¼öÁ¤ ±ÇÇÑÀ» °®°í Àְųª ±¸¼ºÀÌ °ø°ÝÀÚ°¡ ¿¢¼¼½ºÇÒ ¼ö ÀÖ´Â LDAP ¼ºñ½º¸¦ ÂüÁ¶ÇÏ´Â °æ¿ì, ¸ðµç Log4j 1.x ¹öÀü Áß JMSSink°¡ µ¥ÀÌÅÍ ¿ªÁ÷·ÄÈ¿¡ Ãë¾àÇÏ´Ù. °ø°ÝÀÚ´Â TopicConnectionFactoryBindingName ¼³Á¤À» Àü´ÞÇØ JMSSink·Î ÇÏ¿©±Ý JNDI request¸¦ ½ÇÇàÇϵµ·Ï ÇÒ ¼ö ÀÖ´Ù. ÀÌ´Â CVE-2021-4104¿Í À¯»çÇÑ ¹æ½ÄÀ¸·Î µ¿ÀÛÇÑ´Ù. ´Ù¸¸, ±âº»°ªÀÌ ¾Æ´Ñ JMSSink¸¦ »ç¿ëÇϵµ·Ï Ưº°È÷ ±¸¼ºµÈ °æ¿ì¿¡¸¸ Log4j 1.x ¹öÀü¿¡¼ ÇØ´ç Ãë¾àÁ¡ÀÇ ¿µÇâÀ» ¹Þ´Â´Ù.
CVE-2022-23305: Apache log4j JDBCAppender SQLÀÎÁ§¼Ç Ãë¾àÁ¡
Log4j 1.2.x ÁßÀÇ JDBAppender´Â SQL¹®À» ¸Å°³º¯¼ö·Î Çã¿ëÇϸç, PatternLayoutÀÇ message converter´Â ÇØ´ç ÀԷ°ª¿¡ ´ëÇÑ °ËÁõÀ» ÁøÇàÇÏÁö ¾Ê¾Æ SQLÀÎÁ§¼Ç Ãë¾àÁ¡ÀÌ À¯¹ßµÈ´Ù. °ø°ÝÀÚ°¡ ÇØ´ç Ãë¾àÁ¡À» ¾Ç¿ëÇϸé ÀÀ¿ë ÇÁ·Î±×·¥ÀÇ ÀÔ·Â ÇÊµå ¶Ç´Â Çì´õ¿¡ Á¶ÀÛµÈ ¹®ÀÚ¿À» ÀÔ·ÂÇÏ¿© ÀǵµÇÏÁö ¾ÊÀº SQL Äõ¸®¸¦ ½ÇÇàÇÒ ¼ö ÀÖ´Ù. ÇØ´ç Ãë¾àÁ¡Àº ±âº»°ªÀÌ ¾Æ´Ñ JDBCAppender¸¦ »ç¿ëÇϵµ·Ï Ưº°È÷ ±¸¼ºµÈ °æ¿ì¿¡¸¸ Log4j 1.x ¹öÀü¿¡¼ ÇØ´ç Ãë¾àÁ¡ÀÇ ¿µÇâÀ» ¹Þ´Â´Ù.
CVE-2022-23307: Apache log4j Chainsaw ¿ªÁ÷·ÄÈ ÄÚµå½ÇÇà Ãë¾àÁ¡
Chainsaw v2´Â Log4jÀÇ XMLLayout Çü½ÄÀÇ ·Î±× ÆÄÀÏÀ» ÀÐÀ» ¼ö ÀÖ´Â GUI ±â¹ÝÀÇ ·Î±× ºä¾î´Ù. ÇØ´ç Ãë¾àÁ¡Àº Chainsaw¿¡ Á¸ÀçÇϸç, ÀÓÀÇÄÚµå ½ÇÇàÀ» Çã¿ëÇÏ´Â ¿ªÁ÷·ÄÈ Ãë¾àÁ¡À¸·Î, ÀÌ Ãë¾àÁ¡ ÀÌÀü¿¡ CVE-2021-9493·Î ¸í¸íµÆ´Ù.
¡â¿µÇâ ¹Þ´Â ¹öÀü
CVE-2022-23302 : Apache Log4j 1.x ¹öÀüÀÇ JMSSink
CVE-2022-23305 : JApache Log4j 1.x ¹öÀüÀÇ DBCAppender
CVE-2022-23307 : Apache Log4j 1.x¹öÀü ¹× Apache Chainsaw 2.1.0 ¹Ì¸¸ ¹öÀüÀÇ Chainsaw
¡âÆÐÄ¡¹æ¹ý
CVE-2022-23302 : Apache Log4j 2.x ¹öÀüÀ¸·Î ¾÷µ¥ÀÌÆ®
CVE-2022-23305 : Apache Log4j 2.x ¹öÀüÀ¸·Î ¾÷µ¥ÀÌÆ®
CVE-2022-23307 : Apache Log4j 2.x ȤÀº Apache Chainsaw 2.1.0 ¹öÀüÀ¸·Î ¾÷µ¥ÀÌÆ®
[¿øº´Ã¶ ±âÀÚ(boanone@boannews.com)]
[º¸¾È´º½º ¿øº´Ã¶ ±âÀÚ] ¾ÆÆÄÄ¡Àç´ÜÀÌ ·Î±×4j(Log4j)¿¡ ´ëÇÑ º¸¾È°øÁö¸¦ ¹ßÇ¥Çß´Ù. À̹ø °øÁö´Â CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 Ãë¾àÁ¡¿¡ ´ëÇÑ ³»¿ëÀ̸ç, Ãë¾àÁ¡Àº °¢°¢ JMSSink, JDBCAppender, Chainsaw ¸ðµâ¿¡ Á¸ÀçÇÑ´Ù.
¡ãApache Log4j º¸¾È°øÁö[À̹ÌÁö=º¸¾È´º½º ĸó]
CVE-2022-23302 : Apache log4j JMSSink ¿ªÁ÷·ÄÈ Ãë¾àÁ¡
°ø°ÝÀÚ°¡ Log4j ¼³Á¤¿¡ ´ëÇØ ¼öÁ¤ ±ÇÇÑÀ» °®°í Àְųª ±¸¼ºÀÌ °ø°ÝÀÚ°¡ ¿¢¼¼½ºÇÒ ¼ö ÀÖ´Â LDAP ¼ºñ½º¸¦ ÂüÁ¶ÇÏ´Â °æ¿ì, ¸ðµç Log4j 1.x ¹öÀü Áß JMSSink°¡ µ¥ÀÌÅÍ ¿ªÁ÷·ÄÈ¿¡ Ãë¾àÇÏ´Ù. °ø°ÝÀÚ´Â TopicConnectionFactoryBindingName ¼³Á¤À» Àü´ÞÇØ JMSSink·Î ÇÏ¿©±Ý JNDI request¸¦ ½ÇÇàÇϵµ·Ï ÇÒ ¼ö ÀÖ´Ù. ÀÌ´Â CVE-2021-4104¿Í À¯»çÇÑ ¹æ½ÄÀ¸·Î µ¿ÀÛÇÑ´Ù. ´Ù¸¸, ±âº»°ªÀÌ ¾Æ´Ñ JMSSink¸¦ »ç¿ëÇϵµ·Ï Ưº°È÷ ±¸¼ºµÈ °æ¿ì¿¡¸¸ Log4j 1.x ¹öÀü¿¡¼ ÇØ´ç Ãë¾àÁ¡ÀÇ ¿µÇâÀ» ¹Þ´Â´Ù.
CVE-2022-23305: Apache log4j JDBCAppender SQLÀÎÁ§¼Ç Ãë¾àÁ¡
Log4j 1.2.x ÁßÀÇ JDBAppender´Â SQL¹®À» ¸Å°³º¯¼ö·Î Çã¿ëÇϸç, PatternLayoutÀÇ message converter´Â ÇØ´ç ÀԷ°ª¿¡ ´ëÇÑ °ËÁõÀ» ÁøÇàÇÏÁö ¾Ê¾Æ SQLÀÎÁ§¼Ç Ãë¾àÁ¡ÀÌ À¯¹ßµÈ´Ù. °ø°ÝÀÚ°¡ ÇØ´ç Ãë¾àÁ¡À» ¾Ç¿ëÇϸé ÀÀ¿ë ÇÁ·Î±×·¥ÀÇ ÀÔ·Â ÇÊµå ¶Ç´Â Çì´õ¿¡ Á¶ÀÛµÈ ¹®ÀÚ¿À» ÀÔ·ÂÇÏ¿© ÀǵµÇÏÁö ¾ÊÀº SQL Äõ¸®¸¦ ½ÇÇàÇÒ ¼ö ÀÖ´Ù. ÇØ´ç Ãë¾àÁ¡Àº ±âº»°ªÀÌ ¾Æ´Ñ JDBCAppender¸¦ »ç¿ëÇϵµ·Ï Ưº°È÷ ±¸¼ºµÈ °æ¿ì¿¡¸¸ Log4j 1.x ¹öÀü¿¡¼ ÇØ´ç Ãë¾àÁ¡ÀÇ ¿µÇâÀ» ¹Þ´Â´Ù.
CVE-2022-23307: Apache log4j Chainsaw ¿ªÁ÷·ÄÈ ÄÚµå½ÇÇà Ãë¾àÁ¡
Chainsaw v2´Â Log4jÀÇ XMLLayout Çü½ÄÀÇ ·Î±× ÆÄÀÏÀ» ÀÐÀ» ¼ö ÀÖ´Â GUI ±â¹ÝÀÇ ·Î±× ºä¾î´Ù. ÇØ´ç Ãë¾àÁ¡Àº Chainsaw¿¡ Á¸ÀçÇϸç, ÀÓÀÇÄÚµå ½ÇÇàÀ» Çã¿ëÇÏ´Â ¿ªÁ÷·ÄÈ Ãë¾àÁ¡À¸·Î, ÀÌ Ãë¾àÁ¡ ÀÌÀü¿¡ CVE-2021-9493·Î ¸í¸íµÆ´Ù.
¡â¿µÇâ ¹Þ´Â ¹öÀü
CVE-2022-23302 : Apache Log4j 1.x ¹öÀüÀÇ JMSSink
CVE-2022-23305 : JApache Log4j 1.x ¹öÀüÀÇ DBCAppender
CVE-2022-23307 : Apache Log4j 1.x¹öÀü ¹× Apache Chainsaw 2.1.0 ¹Ì¸¸ ¹öÀüÀÇ Chainsaw
¡âÆÐÄ¡¹æ¹ý
CVE-2022-23302 : Apache Log4j 2.x ¹öÀüÀ¸·Î ¾÷µ¥ÀÌÆ®
CVE-2022-23305 : Apache Log4j 2.x ¹öÀüÀ¸·Î ¾÷µ¥ÀÌÆ®
CVE-2022-23307 : Apache Log4j 2.x ȤÀº Apache Chainsaw 2.1.0 ¹öÀüÀ¸·Î ¾÷µ¥ÀÌÆ®
[¿øº´Ã¶ ±âÀÚ(boanone@boannews.com)]
<ÀúÀÛ±ÇÀÚ: º¸¾È´º½º(www.boannews.com) ¹«´ÜÀüÀç-Àç¹èÆ÷±ÝÁö>
¿øº´Ã¶±âÀÚ ±â»çº¸±â
[2024-04-18] 
.jpg)
.jpg)
.jpg)
