Apache HertzBeat SnakeYaml·´ÐòÁл¯·ì϶À´Ï®£¬£¬£¬£¬£¬£¬£¬£¬8827Ì«Ñô¼¯ÍÅÌṩ½â¾ö¹æ»®

°ä²¼¹¦·ò 2024-09-28

Apache HertzBeat ÊÇ¿ªÔ´µÄʵʱ¼à¿Ø¹¤¾ß£¬£¬£¬£¬£¬£¬£¬£¬ÊÜÓ°Ïì°æ±¾ÖÐδ¶ÔÓû§¿É¿ØµÄ yaml ÎļþÓÐЧ¹ýÂË£¬£¬£¬£¬£¬£¬£¬£¬¾­¹ýÉí·ÝÑéÖ¤µÄ¹¥»÷Õß¿É»ú¹Ø¶ñÒâµÄ yaml ÎļþÔ¶³ÌÖ´ÐÐËÁÒâ´úÂë¡£¡£¡£¡£¡£


2024Äê9Ô£¬£¬£¬£¬£¬£¬£¬£¬8827Ì«Ñô¼¯Íżà¿Øµ½Apache HertzBeat¹Ù·½°ä²¼ÁËCVE-2024-42323 £¬£¬£¬£¬£¬£¬£¬£¬snakeYaml µÄ RCE ¼ÓÔضñÒâ yamlÊý¾Ý¡£¡£¡£¡£¡£¸Ã·ì϶CVSS3.1Ä¿Ç°ÆÀ·ÖΪ8.8·Ö£¬£¬£¬£¬£¬£¬£¬£¬²¢ÇÒÆä×ÛºÏÆÀ¼¶Îª¡°¸ßΣ¡±¡£¡£¡£¡£¡£


ͼƬ1.png


·ì϶¸´ÏÖ


ͼƬ2.png


ͼƬ3.png


Ó°Ïì°æ±¾


Apache Hertbeat < 1.6.0


½â¾ö¹æ»®


Ò»¡¢¹Ù·½½¨¸´¹æ»®


Ä¿Ç°¹Ù·½ÒÑÓпɸüа汾£¬£¬£¬£¬£¬£¬£¬£¬½¨ÒéÊÜÓ°ÏìÓû§Éý¼¶ÖÁ×îа汾:

Apache Hertbeat >= 1.6.0

¹Ù·½ÏÂÔصØÖ·£º

https://hertzbeat.apache.org/zh-cn/docs/download/


¶þ¡¢8827Ì«Ñô¼¯ÍŽâ¾ö¹æ»®


1¡¢8827Ì«Ñô¼¯Íżì²âÀà²úÆ·¹æ»®


ÌìãÙÈëÇÖ¼ì²âÓëÖÎÀíϵͳ£¨IDS£©¡¢ÌìãÙ³¬Èںϼì²â̽Õ루CSP£©¡¢ÌìãÙÍþв·ÖÎöÒ»Ìå»ú£¨TAR£©¡¢ÌìÇåWEB°²È«ÀûÓÃÍø¹Ø£¨WAF£©Éý¼¶µ½20240927°æ±¾ÊÂÎñ¿â£¬£¬£¬£¬£¬£¬£¬£¬ÌìÇåÈëÇÖ·ÀÓùϵͳ£¨IPS£©Éý¼¶µ½×îа汾ÊÂÎñ¿â£¬£¬£¬£¬£¬£¬£¬£¬¼´¿ÉÓÐЧ¼ì²â»ò·À»¤¸Ã·ì϶Ôì³ÉµÄ¹¥»÷·çÏÕ¡£¡£¡£¡£¡£ÊÂÎñ¿âÏÂÔصØÖ·£º

https://venustech.download.venuscloud.cn/


2¡¢8827Ì«Ñô¼¯ÍÅÖն˲úÆ·¹æ»®


Ìì«‘Öն˰²È«Ò»Ì廯£¨EDR£©Ìṩ·ì϶µÄרÏîÑéÖ¤²é³­ÄÜÁ¦¿É¶Ô·ì϶פÁôÖն˽øÐÐÈ«Íøͬ²½ÑéÖ¤£¬£¬£¬£¬£¬£¬£¬£¬Í¬Ê±ÊµÊ±¼à¿Ø²¢¸æ¾¯Òì³£×Ó¸¸¹ý³Ì¡¢¼à¿ØÖ÷»úÒì³£±íÁ¬¼ì²â£¬£¬£¬£¬£¬£¬£¬£¬Ô¤·À·ì϶¹¥»÷·çÏÕ¡£¡£¡£¡£¡£


ͼƬ4.jpg


3¡¢8827Ì«Ñô¼¯ÍÅ©ɨ²úÆ·¹æ»®


£¨1£©¡°8827Ì«Ñô¼¯ÍÅ·ì϶ɨÃèϵͳV6.0¡±²úÆ·ÒÑÖ§³Ö¶Ô¸Ã·ì϶½øÐÐɨÃè¡£¡£¡£¡£¡£


ͼƬ5.png


£¨2£©8827Ì«Ñô¼¯ÍÅ·ì϶ɨÃèϵͳ608XϵÁа汾ÒÑÖ§³Ö¶Ô¸Ã·ì϶½øÐÐɨÃè¡£¡£¡£¡£¡£


ͼƬ6.png


4¡¢8827Ì«Ñô¼¯ÍÅ×ʲúÓë´àÈõÐÔÖÎÀíƽ̨²úÆ·¹æ»®


8827Ì«Ñô¼¯ÍÅ×ʲúÓë´àÈõÐÔÖÎÀíƽ̨ʵʱ²É¼¯²¢¸üеý±¨ÐÅÏ¢£¬£¬£¬£¬£¬£¬£¬£¬¶ÔÈë¿â×ʲú·ì϶Apache HertzBeat SnakeYaml·´ÐòÁл¯·ì϶£¨CVE-2024-42323£©½øÐÐÖÎÀí¡£¡£¡£¡£¡£


ͼƬ7.png


5¡¢8827Ì«Ñô¼¯ÍÅ°²È«ÖÎÀíºÍ̬ÊƸÐ֪ƽ̨²úÆ·¹æ»®


Óû§Äܹ»Í¨¹ýÌ©ºÏ°²È«ÖÎÀíºÍ̬ÊƸÐ֪ƽ̨£¬£¬£¬£¬£¬£¬£¬£¬½øÐйØÁªÕ½ÊõÅäÖ㬣¬£¬£¬£¬£¬£¬£¬½áºÏÏÖʵ»·¾³ÖÐϵͳÈÕÖ¾ºÍ°²È«É豸µÄ¸æ¾¯ÐÅÏ¢½øÐгÖÐø¼à¿Ø£¬£¬£¬£¬£¬£¬£¬£¬´Ó¶ø·¢ÏÖ¡°Apache HertzBeat SnakeYaml·´ÐòÁл¯·ì϶£¨CVE-2024-42323£©¡±µÄ·ì϶ÀûÓù¥»÷ÐÐΪ¡£¡£¡£¡£¡£


£¨1£©ÔÚÌ©ºÏµÄƽ̨ÖУ¬£¬£¬£¬£¬£¬£¬£¬Í¨¹ý´àÈõÐÔ·¢ÏÖÖ°ÄÜÕë¶Ô¡°Apache HertzBeat SnakeYaml·´ÐòÁл¯·ì϶£¨CVE-2024-42323£©¡±·ì϶ɨÃ蹤×÷£¬£¬£¬£¬£¬£¬£¬£¬ÅŲéÖÎÀíÍøÂçÖÐÊÜ´Ë·ì϶ӰÏìµÄ³ÁÒª×ʲú¡£¡£¡£¡£¡£


ͼƬ8.png


£¨2£©Æ½Ì¨¡°¹ØÁª·ÖÎö¡±Ä£¿£¿£¿ £¿£¿£¿£¿éÖУ¬£¬£¬£¬£¬£¬£¬£¬Ôö³¤¡°L2_Apache HertzBeat SnakeYaml·´ÐòÁл¯·ì϶¡±£¬£¬£¬£¬£¬£¬£¬£¬Í¨¹ý8827Ì«Ñô¼¯Íżì²âÉ豸¡¢Ö¸±êÖ÷»úϵͳµÈÉ豸µÄ¸æ¾¯ÈÕÖ¾£¬£¬£¬£¬£¬£¬£¬£¬·¢ÏÖ±í²¿¹¥»÷ÐÐΪ¡£¡£¡£¡£¡£


ͼƬ9.png


ͨ¹ý¶ÈÎö¹æ¶¨×Ô¶¯½«"L2_Apache HertzBeat SnakeYaml·´ÐòÁл¯·ì϶"·ì϶ÀûÓõĿÉÒÉÐÐΪԴµØÖ·Ôö³¤µ½¹Û²ìÁÐ±í¡°¸ß·çÏÕÏνӡ±ÖУ¬£¬£¬£¬£¬£¬£¬£¬×÷ΪÄÚ²¿µý±¨Êý¾ÝʹÓᣡ£¡£¡£¡£


£¨3£©Ôö³¤¡°L3_Apache HertzBeat SnakeYaml·´ÐòÁл¯·ì϶¡±£¬£¬£¬£¬£¬£¬£¬£¬Ç°ÌáÈÕÖ¾Ãû³ÆµÅ×Ú»òÔ̺¬¡°L2_Apache HertzBeat SnakeYaml·´ÐòÁл¯·ì϶¡±£¬£¬£¬£¬£¬£¬£¬£¬¹¥»÷Á˾ֵÅ×Ú¡°¹¥»÷³É¹¦¡±£¬£¬£¬£¬£¬£¬£¬£¬Ö÷ÕŵØÖ·ÒýÓÃ×ʲú·ì϶»òÔ´µØÖ·Æ¥ÅäÍþвµý±¨£¬£¬£¬£¬£¬£¬£¬£¬´Ó¶øÌáÉý¹ØÁª¹æ¶¨µÄÏàÐŶÈ¡£¡£¡£¡£¡£


ͼƬ10.png