ProHoster > Блог > rongo ipurangi > Nga whakaraeraetanga kino i roto i te punaha whakahaere whirihoranga SaltStack

Nga whakaraeraetanga kino i roto i te punaha whakahaere whirihoranga SaltStack

Ko nga whakaputanga hou o te punaha whakahaere whirihoranga a SaltStack 3002.5, 3001.6 me 3000.8 kua whakatauhia he whakaraeraetanga (CVE-2020-28243) e taea ai e tetahi kaiwhakamahi kore whai mana o te kaihautu te whakanui ake i o raatau mana ki te punaha. Ko te raruraru i puta mai i te pepeke i roto i te kaihautu tote-minion i whakamahia ki te tango i nga whakahau mai i te tūmau pokapū. I kitea te whakaraeraetanga i te marama o Noema, engari katahi ano ka whakatikahia.

I te wa e mahi ana i te mahi "tirohia ano", ka taea te whakakapi i nga whakahau ma te whakamahi i te ingoa tukanga. Ina koa, ko te tono mo te noho mai o tetahi kete i mahia ma te whakarewa i te kaiwhakahaere o te kete me te tuku tohenga i ahu mai i te ingoa tukanga. Ka whakarewahia te kaiwhakahaere kete ma te karanga i te mahi popen i roto i te aratau whakarewa anga, engari kaore e mawhiti i nga tohu motuhake. Ma te huri i te ingoa tukanga me te whakamahi tohu penei ";" me "|" ka taea e koe te whakarite i te mahi o to waehere.

I tua atu i te raru kua tohua, kua whakatikahia e SaltStack 3002.5 etahi atu whakaraeraetanga e 9:

  • CVE-2021-25281 - na te kore o te manatokonga mana tika, ka taea e te kaiwhaiwhai mamao te whakarewa i tetahi waahanga wira i te taha o te kaiwhakahaere matua whakahaere ma te uru atu ki a SaltAPI me te whakararu i nga hanganga katoa.
  • Ko te CVE-2021-3197 he take kei roto i te kōwae SSH mo te minion e taea ai te whakahaere i nga whakahau anga ma te whakakapi tohenga me te tautuhinga "ProxyCommand" me te tuku ssh_options ma te API.
  • CVE-2021-25282 Ko te uru kore mana ki te wheel_async ka taea te waea ki a SaltAPI ki te tuhirua i tetahi konae kei waho o te whaiaronga turanga me te whakahaere i nga waehere i runga i te punaha.
  • CVE-2021-25283 Ko te whakaraeraetanga o te raarangi tuuturu kei roto i te wheel.pillar_roots.write kaikawe i SaltAPI ka taea te taapiri i tetahi tauira taapiri ki te kaitaki jinja.
  • CVE-2021-25284 – ko nga kupuhipa kua tautuhia ma nga webutils i whakatakotohia ki roto i nga tuhinga maamaa i roto i te /var/log/salt/minion log.
  • CVE-2021-3148 - Ka taea te whakakapi whakahau ma te waea SaltAPI ki salt.utils.thin.gen_thin().
  • CVE-2020-35662 - Kei te ngaro te tiwhikete tiwhikete SSL i te whirihoranga taunoa.
  • CVE-2021-3144 - Ka taea te whakamahi i nga tohu motuhēhēnga eauth i muri i te paunga.
  • CVE-2020-28972 - Kaore i tirohia e te waehere te tiwhikete SSL/TLS a te tūmau, i whakaaetia ai nga whakaeke MITM.

Source: opennet.ru

Tāpiri i te kōrero