Ofufuza ochokera ku Netflix ndi Google Pali ziwopsezo zisanu ndi zitatu pakukhazikitsa kosiyanasiyana kwa protocol ya HTTP/2 zomwe zingayambitse kukana ntchito potumiza zopempha zapaintaneti mwanjira inayake. Vutoli limakhudza ma seva ambiri a HTTP okhala ndi chithandizo cha HTTP/2 kumlingo wina ndipo kumapangitsa kuti wogwira ntchito azitha kukumbukira kapena kupanga kuchuluka kwa CPU. Zosintha zomwe zimachotsa zofooka zaperekedwa kale ΠΈ , koma panopa kwa Apache httpd ndi .
Mavuto adabwera chifukwa cha zovuta zomwe zidayambitsidwa mu protocol ya HTTP/2 yokhudzana ndi kugwiritsa ntchito zida zamabina, njira yochepetsera kuyenderera kwa data mkati mwa maulumikizidwe, njira yoyendetsera patsogolo, komanso kupezeka kwa mauthenga owongolera a ICMP omwe akugwira ntchito pa HTTP/2. mlingo (mwachitsanzo, ping, sinthaninso, ndi zosintha zoyenda). Kukhazikitsa zambiri sikunachepetse kuyendetsa bwino kwa mauthenga owongolera, sikunayang'anire bwino pamzere wofunikira pakukonza zopempha, kapena kugwiritsa ntchito njira zocheperako zama algorithms owongolera.
Njira zambiri zowukira zomwe zadziwika zimatsikira potumiza zopempha zina kwa seva, zomwe zimapangitsa kuti pakhale mayankho ambiri. Ngati kasitomala sawerenga deta kuchokera ku socket ndipo satseka kulumikizana, mzere woyankha woyankha kumbali ya seva umadzaza mosalekeza. Khalidweli limapanga katundu pamakina oyang'anira mizere pokonza zolumikizira ma netiweki ndipo, kutengera zomwe zakhazikitsidwa, zimabweretsa kutopa kwa kukumbukira komwe kulipo kapena zida za CPU.
Zowopsa zomwe zidazindikirika:
- CVE-2019-9511 (Data Dribble) - wowukira amapempha kuchuluka kwa data mu ulusi wambiri posintha kukula kwa zenera ndi ulusi wotsogola, kukakamiza seva kuti ipangitse deta mu midadada ya 1-byte;
- CVE-2019-9512 (Ping Flood) - wowukira amawononga mauthenga a ping mosalekeza pa intaneti ya HTTP/2, zomwe zimapangitsa kuti mzere wamkati wamayankho otumizidwa kusefukira mbali inayo;
- CVE-2019-9513 (Resource Loop) - wowukira amapanga ulusi wopempha angapo ndikusintha mosalekeza zomwe ulusiwo umakonda, zomwe zimapangitsa kuti mtengo woyambirira ugwedezeke;
- CVE-2019-9514 (Bwezerani Chigumula) - wowukira amapanga ulusi wambiri
ndikutumiza pempho losavomerezeka kudzera mu ulusi uliwonse, zomwe zimapangitsa seva kutumiza mafelemu a RST_STREAM, koma osawavomereza kuti adzaze pamzere woyankha; - CVE-2019-9515 (Settings Flood) - wowukirayo amatumiza mafelemu opanda kanthu a "SETTINGS", poyankha zomwe seva iyenera kuvomereza kulandila pempho lililonse;
- CVE-2019-9516 (0-Length Headers Leak) - wowukira amatumiza mitu yambiri yokhala ndi dzina lopanda pake komanso yopanda phindu, ndipo seva imagawira chosungira kukumbukira kuti chisunge mutu uliwonse ndipo samachimasula mpaka gawolo litatha. ;
- CVE-2019-9517 (Internal Data Buffering) - wowukira amatsegula
HTTP/2 zenera lotsetsereka kuti seva itumize deta popanda zoletsa, koma imasunga zenera la TCP lotsekedwa, kuletsa deta kuti isalembedwe kwenikweni ku socket. Kenako, wowukirayo amatumiza zopempha zomwe zimafuna kuyankha kwakukulu; - CVE-2019-9518 (Empty Frames Flood) - Wowukira amatumiza mitundu yosiyanasiyana ya mafelemu amtundu wa DATA, HEADERS, CONTINUATION, kapena PUSH_PROMISE, koma opanda malipiro opanda kanthu komanso mbendera yoletsa kuyimitsa. Seva imawononga nthawi kukonza chimango chilichonse, chosagwirizana ndi bandwidth yomwe wowukirayo amadya.
Source: opennet.ru