12 month 10 Early morning ,Apache Open source project Log4j2 Details of the remote code execution vulnerability are disclosed , As the most widely used in the world java One of the logging frameworks . This vulnerability affects many of the world's most widely used open source components , Such as Apache Struts2、Apache Solr、Apache Druid、Apache Flink etc. . And because the vulnerability is easily exploited , Once an attacker exploits the vulnerability , You can execute arbitrary code on the target server , Cause great harm to the attacker . After the vulnerability is published , The manufacturer immediately released a new version log4j-2.15.0-rc1 Fix the leak , And later updated log4j-2.15.0-rc2 The vulnerability was further fixed .
But it never rains alone , Although we repair Log4j2 May have been in a hurry , But I still need to spare my energy to read the new news : Microsoft Azure There is an application service named “NotLegit” A loophole in the , This vulnerability affects all pass through “ Local Git” The deployment of PHP、Node、Ruby and Python application .
Azure Is used to host websites and Web Application platform , Users only need to select the supported programming language and operating system , Reuse FTP、SSH Or through Git The service extract source code is in Azure Complete the deployment on the managed server , You can go to .azurewebsites.net Access applications in the domain . Because it's easy to use , So it is very popular with developers . This vulnerability appears in the deployment step .
Under normal circumstances , When the developer Git The repository is deployed to Web Server and bucket , Because it contains sensitive data , Therefore, it will not be uploaded .git Folder . however Azure Set up , If the application is local Git Deploy to Azure, What about your Git The repository becomes a public directory that everyone can access . Of course, to protect sensitive data from exposure , Microsoft is restricting public access .git Added... To the folder “web.config” file , Make data available only to Microsoft LLS Web server processing .
This is where the loophole appears , Because this only works LLS The deployment of C# or ASP.NET The application works . because Web Server cannot process “web.config” file , So if it is deployed in a different Web In the server PHP、Node、Ruby and Python application , Then the attacker only needs to obtain from the target application group /.git Catalog , You can get the corresponding source code .
For this vulnerability , Microsoft has made the following response :
Updated all PHP Mirror image , Prohibition of .git Folders are provided as static content , As a defense in depth .
Updated security advice document , Added a section on protecting source code , The local deployment document has also been updated .
Microsoft has been in 2021 year 12 month 7 solstice 15 The affected users were notified by e-mail during the day , Provides specific guidance on mitigating problems .
If you don't receive an email , You don't have to worry at the first time , Because you may not be affected by the vulnerability , The scope not affected by the vulnerability is as follows :
since 2017 year 9 Since the month , stay Azure Use... In application services “ Local Git” All deployed PHP、Node、Ruby and Python application .
from 2017 year 9 Month begins , After creating or modifying files in the application container , Use Git The source code is deployed in Azure All in the application service PHP、Node、Ruby and Python application .
And Microsoft also notes , This vulnerability only affects the deployment based on Linux Of Azure Applications on the server . If your application is hosted on Windows Server On the system , Will not be affected by the vulnerability .
This vulnerability is handled by the cloud security provider Wiz Discover and provide , Microsoft provides 7500 A bounty in dollars .
Last , If you have received an email notification from Microsoft , It is still necessary to complete the bug repair according to the email instructions as soon as possible ~
How to quickly handle the production environment Ansible Project layout ?
Server side rendering foundation
Catalog Preface One 、exec an