ProHoster > Блог > ozi ịntanetị > Ọdịmma dị ize ndụ na sistemụ nhazi nhazi SaltStack

Ọdịmma dị ize ndụ na sistemụ nhazi nhazi SaltStack

Mwepụta ọhụrụ nke sistemu nhazi nhazi etiti SaltStack 3002.5, 3001.6 na 3000.8 edozila adịghị ike (CVE-2020-28243) nke na-enye ohere onye ọrụ mpaghara na-enweghị ohere nke onye ọbịa ka ọ bulie ohere ha na sistemụ. Ihe kpatara nsogbu a bụ ahụhụ dị na onye na-ahụ maka nnu-minion na-enweta iwu sitere na sava etiti. Achọpụtara adịghị ike ahụ na Nọvemba, mana edozila ya naanị ugbu a.

Mgbe ị na-arụ ọrụ "malitegharịa ekwentị", ọ ga-ekwe omume iji dochie iwu aka ike site na ịmegharị aha usoro ahụ. Karịsịa, a rịọrọ arịrịọ maka ọnụnọ nke ngwugwu site na ịmalite onye njikwa ngwugwu na ịfefe arụmụka sitere na aha usoro. A na-ewepụta njikwa ngwugwu site na ịkpọ ọrụ popen na ọnọdụ mmalite shei, mana na-enweghị ịgbanarị mkpụrụedemede pụrụ iche. Site n'ịgbanwe aha usoro na iji akara dịka ";" na "|" ị nwere ike hazie ogbugbu nke koodu gị.

Na mgbakwunye na nsogbu ahụ ama ama, SaltStack 3002.5 edozila adịghị ike 9 ọzọ:

  • CVE-2021-25281 - n'ihi enweghị nkwenye ikike kwesịrị ekwesị, onye na-awakpo dịpụrụ adịpụ nwere ike ịmalite modul wheel ọ bụla n'akụkụ nkesa njikwa njikwa site na ịnweta SaltAPI ma mebie akụrụngwa niile.
  • CVE-2021-3197 bụ okwu dị na modul SSH maka minion nke na-enye ohere ka e mebie iwu shei na-ezighi ezi site na ngbanwe arụmụka na ntọala "ProxyCommand" ma ọ bụ na-agafe ssh_options site na API.
  • CVE-2021-25282 ịnweta wheel_async na-enweghị ikike na-enye ohere ịkpọ SaltAPI idegharị faịlụ na-abụghị akwụkwọ ndekọ aha wee mebie koodu aka ike na sistemụ.
  • CVE-2021-25283 Akwụkwọ ndekọ aha ntọala adịghị ike na wheel.pillar_roots.write njikwa na SaltAPI na-enye ohere itinye ndebiri aka ike na onye na-eme jinja.
  • CVE-2021-25284 - edobere okwuntughe nke edobere site na webutils na ederede doro anya na /var/log/salt/minion log.
  • CVE-2021-3148 - Enwere ike dochie iwu site na oku SaltAPI na salt.utils.thin.gen_thin ().
  • CVE-2020-35662 - nkwenye asambodo SSL na-efu efu na nhazi ndabara.
  • CVE-2021-3144 - Enwere ike iji akara nyocha eauth mgbe ha gwụchara.
  • CVE-2020-28972 - Koodu ahụ enyochaghị SSL/TLS nkesa nkesa, nke kwere MITM ọgụ.

isi: opennet.ru

Tinye a comment