GitLab yachenjeza ogwiritsa ntchito za kuchuluka kwa zoyipa zokhudzana ndi kugwiritsa ntchito chiwopsezo cha CVE-2021-22205, chomwe chimawalola kuti agwiritse ntchito code yawo patali popanda kutsimikizika pa seva yomwe imagwiritsa ntchito nsanja yachitukuko ya GitLab.
Nkhaniyi idapezeka mu GitLab kuyambira mtundu 11.9 ndipo idakonzedwanso mu Epulo mu GitLab idatulutsa 13.10.3, 13.9.6, ndi 13.8.8. Komabe, potengera chithunzi cha Okutobala 31 cha netiweki yapadziko lonse lapansi yopezeka pagulu ya GitLab 60, 50% yamakina akupitilizabe kugwiritsa ntchito mitundu yakale ya GitLab yomwe imatha kukhala pachiwopsezo. Zosintha zofunikira zidayikidwa pa 21% yokha ya ma seva omwe adayesedwa, ndipo pa 29% ya machitidwe sikunali kotheka kudziwa nambala yomwe ikugwiritsidwa ntchito.
Mkhalidwe wosasamala wa oyang'anira ma seva a GitLab pakukhazikitsa zosintha zidapangitsa kuti chiwopsezocho chiyambe kugwiritsidwa ntchito mwachangu ndi omwe akuwukira, omwe adayamba kuyika pulogalamu yaumbanda pa seva ndikuwalumikiza ku ntchito ya botnet yomwe ikuchita nawo DDoS. Pachimake, kuchuluka kwa magalimoto panthawi ya DDoS kuwukira kopangidwa ndi botnet kutengera ma seva osatetezeka a GitLab adafika 1 terabits pamphindikati.
Chiwopsezochi chimayamba chifukwa chakusintha kolakwika kwamafayilo azithunzi omwe adatsitsidwa ndi wosankha wakunja kutengera laibulale ya ExifTool. Chiwopsezo cha ExifTool (CVE-2021-22204) chinalola kuti malamulo osamveka atsatidwe mudongosolo pochotsa metadata kuchokera pamafayilo amtundu wa DjVu: (metadata (Copyright "\ " . qx{echo test >/tmp/test} . \ "b"))
Kuphatikiza apo, popeza mtundu weniweniwo udatsimikiziridwa mu ExifTool ndi mtundu wamtundu wa MIME, osati kufutukula mafayilo, wowukirayo amatha kutsitsa chikalata cha DjVu pogwiritsa ntchito chithunzi cha JPG kapena TIFF wokhazikika (GitLab imayitanitsa ExifTool pamafayilo onse okhala ndi). jpg, zowonjezera za jpeg ndi tiff kuyeretsa ma tag osafunikira). Chitsanzo cha ntchito. Pakusintha kosasintha kwa GitLab CE, kuwukira kumatha kuchitidwa potumiza zopempha ziwiri zomwe sizikufuna kutsimikizika.
Ogwiritsa ntchito a GitLab akulimbikitsidwa kuti awonetsetse kuti akugwiritsa ntchito mtundu waposachedwa ndipo, ngati akugwiritsa ntchito kumasulidwa kwakanthawi, kukhazikitsa zosintha nthawi yomweyo, ndipo ngati pazifukwa zina sizingatheke, kusankha chigamba chomwe chimatchinga chiwopsezocho. Ogwiritsa ntchito makina osasindikizidwa amalangizidwanso kuti awonetsetse kuti makina awo sakusokonezedwa posanthula zipika ndikuyang'ana maakaunti okayikitsa owononga (mwachitsanzo, dexbcx, dexbcx818, dexbcxh, dexbcxi ndi dexbcxa99).
Source: opennet.ru