In the early morning of December 10th, the remote code execution vulnerability details of the Apache open source project Log4j2 were made public, as one of the most widely used java logging frameworks in the world. This vulnerability affects many of the world’s top open source components, such as Apache Struts2, Apache Solr, Apache Druid, Apache Flink, etc. And because the exploit method is simple, once an attacker exploits the vulnerability, he can execute arbitrary code on the target server, causing great harm to the victim. After the vulnerability was announced, the manufacturer immediately released a new version log4j-2.15.0-rc1 to fix the vulnerability, and later updated log4j-2.15.0-rc2 to further fix the vulnerability.
However, misfortunes never come singly. Although everyone may have been in a hurry to fix Log4j2, we still have to energy to this new news when we are busy: 161ca7dc265683 There is a vulnerability called "NotLegit" in Microsoft Azure Application Services, which affects all passes. PHP, Node, Ruby and Python applications deployed by "local Git".
Vulnerability details
Azure is a platform for hosting websites and web applications. Users only need to select a supported programming language and operating system, and then use FTP, SSH or by extracting the source code from the Git service to complete the deployment on a server hosted by Azure, and you can use it in. Access the application in the azurewebsites.net domain. Because it is easy to use, it is quite popular among developers. and this vulnerability appeared in the deployment step.
Under normal circumstances, when developers deploy Git repositories to web servers and buckets, they will not upload .git folders because they contain sensitive data. But Azure settings, if the application is deployed to Azure through local Git, then your Git repository will become a public directory that everyone can access. Of course, in order to protect sensitive data from exposure, Microsoft added a "web.config" file to the .git folder that restricts public access, so that the data can only be processed by the Microsoft LLS web server.
The vulnerability appears here, because this is only valid for C# or ASP.NET applications deployed with LLS. Because the web server cannot process the "web.config" file, if it is a PHP, Node, Ruby, and Python application deployed in different web servers, the attacker can get the corresponding /.git directory from the target application group. Source code.
Vulnerability response
In response to this vulnerability, Microsoft has taken the following responses:
- All PHP mirrors have been updated to prohibit the provision of .git folders as static content as a defense-in-depth measure.
- Updated the security advice document, added a section about protecting the source code, and updated the local deployment document.
Microsoft has notified the affected users via email between December 7 and 15, 2021, and provided specific guidance on mitigating the problem.
If you do not receive the email, you do not need to worry the first time, because you may not be affected by the vulnerability, and the scope of not affected by the vulnerability is as follows:
- Since September 2017, all PHP, Node, Ruby and Python applications deployed using "local Git" in Azure App Service.
- Starting from September 2017, after creating or modifying files in the application container, use Git source code to deploy all PHP, Node, Ruby, and Python applications in Azure App Service.
And Microsoft also noted that this vulnerability only affects applications deployed on Linux-based Azure servers. If your application is hosted on a Windows Server system, it will not be affected by the vulnerability.
The vulnerability was discovered and provided by the cloud security provider Wiz, and Microsoft provided it with a $7,500 bounty.
Finally, if you have received an email notification from Microsoft, you must complete the bug fix as soon as possible according to the email instructions~
Recommended reading
How to quickly get the layout of the Ansible project in the production environment?
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。