Vatsvagiri kubva kuClaroty naJFrog vakaburitsa mhedzisiro yekuongororwa kwekuchengetedza kweBusyBox, pasuru inoshandiswa zvakanyanya mumidziyo yakamisikidzwa inopa seti yeyakajairwa UNIX zvishandiso zvakaiswa sefaira rimwechete rinoitwa. Ongororo yacho yakaratidza kusakwana gumi nemana kwakatogadziriswa mukuburitswa kwaNyamavhuvhu kweBusyBox 14. Anenge matambudziko ese haakuvadze uye anopokana kubva pakuona kwekushandiswa mukurwiswa chaiko, nekuti zvinoda kumhanyisa zvishandiso zvine nharo dzakagamuchirwa kubva kunze.
Neparutivi, iyo CVE-2021-42374 kusagadzikana kunosarudzwa, izvo zvinokutendera iwe kuti ukonzere kurambwa kwesevhisi paunenge uchigadzira yakanyatsogadzirwa yakamanikidzwa faira ine unlzma utility, uye kana iri nyaya yekuvaka kubva kuCONFIG_FEATURE_SEAMLESS_LZMA sarudzo, zvakare neimwe imwe BusyBox. zvikamu, zvinosanganisira tar, unzip, rpm, dpkg, lzma uye murume.
Vulnerabilities CVE-2021-42373, CVE-2021-42375, CVE-2021-42376, uye CVE-2021-42377 inogona kukonzera kurambwa kwesevhisi, asi inoda kuti murume, dota, uye hush zvishandiso zvimhanyirwe neanorwisa-akatarwa paramita. . Kusagadzikana kubva kuCVE-2021-42378 kuenda kuCVE-2021-42386 kunokanganisa iyo awk utility uye inogona kutungamira mukuurayiwa kwekodhi, asi nekuda kweizvi munhu anorwisa anofanirwa kuita imwe pateni inoitwa muawk (inofanirwa kutanga awk nedata rakagamuchirwa. kubva kumurwi).
Pamusoro pezvo, kusagadzikana (CVE-2021-43523) mumaraibhurari euclibc uye uclibc-ng kunogonawo kucherechedzwa, zvine chekuita nenyaya yekuti kana uchiwana iyo gethostbyname(), getaddrininfo(), gethostbyaddr() uye getnameinfo() mabasa, domain name haina kutariswa nekucheneswa.zita rakadzoserwa neDNS server. Semuenzaniso, mukupindura kune chimwe chikumbiro chekugadzirisa, sevha yeDNS inodzorwa neanorwisa inogona kudzosa mauto efomu " alert(‘xss’) .attacker.com" uye vanozodzoserwa vasina kuchinjika kune chimwe chirongwa chinogona kuvaratidza muwebhu interface pasina kuchenesa. Nyaya yakagadziriswa muuclibc-ng 1.0.39 kusunungurwa nekuwedzera kodhi kuti isimbise mazita akadzoka, akafanana neGlibc.
Source: opennet.ru