Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Zowopsa zowopsa mu kasamalidwe kasamalidwe ka SaltStack

Zowopsa zowopsa mu kasamalidwe kasamalidwe ka SaltStack

Zotulutsa zatsopano zamakina oyang'anira masinthidwe apakati a SaltStack 3002.5, 3001.6 ndi 3000.8 akhazikitsa chiwopsezo (CVE-2020-28243) chomwe chimalola wogwiritsa ntchito wamba omwe alibe mwayi kuti awonjezere mwayi wawo pamakina. Vutoli limayambitsidwa ndi cholakwika mu chogwirira cha salt-minion chomwe chimagwiritsidwa ntchito kulandira malamulo kuchokera pa seva yapakati. Chiwopsezocho chinapezeka mu Novembala, koma tsopano chakhazikika.

Mukamagwira ntchito ya "restartcheck", ndizotheka kulowetsa malamulo osagwirizana ndikusintha dzina la ndondomekoyi. Makamaka, pempho la kukhalapo kwa phukusi linachitidwa poyambitsa phukusi woyang'anira ndikudutsa mkangano wochokera ku dzina la ndondomeko. Woyang'anira phukusi amayambitsidwa poyimbira ntchito ya popen mumayendedwe oyambitsa zipolopolo, koma osathawa zilembo zapadera. Mwa kusintha dzina la ndondomeko ndi kugwiritsa ntchito zizindikiro monga ";" ndi "|" mukhoza kulinganiza kuchitidwa kwa code yanu.

Kuphatikiza pavuto lomwe ladziwika, SaltStack 3002.5 yakonza zovuta zina 9:

  • CVE-2021-25281 - chifukwa chosowa chitsimikiziro choyenera chaulamuliro, wowukira akutali amatha kuyambitsa gawo lililonse la gudumu kumbali ya seva yolamulira pofikira SaltAPI ndikusokoneza zida zonse.
  • CVE-2021-3197 ndi vuto mu gawo la SSH la minion lomwe limalola kuti malamulo a chipolopolo atsatidwe polowa m'malo ndi "ProxyCommand" kapena kudutsa ssh_options kudzera pa API.
  • CVE-2021-25282 Kufikira kosaloledwa kwa wheel_async kumalola kuyimba kwa SaltAPI kuti ilembetse fayilo kunja kwa chikwatu choyambira ndikuyika ma code osagwirizana padongosolo.
  • CVE-2021-25283 Chikwatu chotuluka m'malire pachiwopsezo cha wheel.pillar_roots.write mu SaltAPI chimalola kuti template yokhazikika ionjezedwe ku jinja renderer.
  • CVE-2021-25284 - mapasiwedi omwe adayikidwa kudzera pa webutils adayikidwa m'mawu omveka bwino mu /var/log/salt/minion log.
  • CVE-2021-3148 - M'malo mwalamulo zotheka kudzera pa kuitana kwa SaltAPI kupita ku salt.utils.thin.gen_thin().
  • CVE-2020-35662 - Chitsimikizo cha satifiketi ya SSL chikusoweka pamasinthidwe osasinthika.
  • CVE-2021-3144 - Kuthekera kogwiritsa ntchito zizindikiro zotsimikizira za euth zitatha.
  • CVE-2020-28972 - Khodiyo sinayang'ane satifiketi ya SSL/TLS ya seva, yomwe idalola kuukira kwa MITM.

Source: opennet.ru

Kuwonjezera ndemanga