Vatsvagiri kubva kuNetflix neGoogle Pane husere hwekusagadzikana mukuitwa kwakasiyana-siyana kweHTTP/2 protocol iyo inogona kukonzera kurambwa kwesevhisi nekutumira rwizi rwezvikumbiro zvetiweki neimwe nzira. Dambudziko rinobata maseva mazhinji eHTTP ane HTTP/2 tsigiro kune imwe nhanho uye zvinoita kuti mushandi ashaye ndangariro kana kugadzira yakawandisa CPU mutoro. Zvigadziriso zvinobvisa kusasimba zvakatoiswa mukati ΠΈ , asi ikozvino yeApache httpd uye .
Matambudziko akakonzerwa nezvinetso zvakaunzwa muHTTP/2 protocol yakabatana nekushandiswa kwebhinari zvimiro, hurongwa hwekudzikamisa kuyerera kwedata mukati mekubatana, kuyerera kwekutanga nzira, uye kuvapo kweICMP-senge mameseji ekudzora anoshanda paHTTP/2 kubatana. chiyero (semuenzaniso, ping, reset, uye kuyerera marongero). Kuitwa kwakawanda hakuna kudzikamisa kuyerera kwekutonga mameseji, hakuna kunyatso gadzirisa mutsara wepamberi kana uchigadzirisa zvikumbiro, kana kushandisa suboptimal kuita yekuyerera kwekudzora algorithms.
Mazhinji enzira dzakatarwa dzekurwisa dzinouya pakutumira zvimwe zvikumbiro kuseva, zvichitungamira kuchizvarwa chenhamba huru yemhinduro. Kana mutengi akasaverenga data kubva pane socket uye akasavhara iyo yekubatanidza, mutsara wekupindura webuffer padivi reseva unoramba uchizadza. Maitiro aya anogadzira mutoro pane queue manejimendi sisitimu yekugadzirisa network yekubatanidza uye, zvichienderana nekuita maficha, inotungamira kune kuneta kweiyo iripo ndangariro kana CPU zviwanikwa.
Zvinozivikanwa vulnerabilities:
- CVE-2019-9511 (Data Dribble) - anorwisa anokumbira huwandu hukuru hwe data mushinda dzakawanda nekushandisa saizi inotsvedza yehwindo uye tambo pamberi, achimanikidza sevha kumisa data mu1-byte block;
- CVE-2019-9512 (Ping Flood) - anorwisa anoramba achiisa chepfu mameseji pamusoro peHTTP/2 yekubatanidza, zvichikonzera mutsara wemukati wemhinduro dzakatumirwa mafashama kune rimwe divi;
- CVE-2019-9513 (Resource Loop) - anorwisa anogadzira tambo dzekukumbira dzakawanda uye anoramba achichinja kukosha kwetambo, zvichiita kuti muti wepamberi udhure;
- CVE-2019-9514 (Reset Mafashamo) - anorwisa anogadzira akawanda shinda
uye inotumira chikumbiro chisina basa kuburikidza neshinda yega yega, zvichiita kuti sevha itumire RST_STREAM mafuremu, asi isingaagamuchire kuzadza mutsara wemhinduro; - CVE-2019-9515 (Mafashamo eMafashamo) - anorwisa anotumira rukova rwe "SETTINGS" mafuremu asina chinhu, mukupindura iyo sevha inofanirwa kubvuma kugamuchira kwechikumbiro chega chega;
- CVE-2019-9516 (0-Length Headers Leak) - anorwisa anotumira rukova rwemisoro ine zita risingafadzi uye isina kukosha, uye sevha inogovera buffer mundangariro kuchengeta musoro wega wega uye haaburitse kusvika chikamu chapera. ;
- CVE-2019-9517 (Internal Data Buffering) - anorwisa anovhura
HTTP/2 inotsvedza hwindo kuti sevha itumire data pasina zvirambidzo, asi inochengeta TCP hwindo rakavharwa, kudzivirira data kubva pakunyorwa kune socket. Zvadaro, anorwisa anotumira zvikumbiro zvinoda mhinduro huru; - CVE-2019-9518 (Empty Frames Flood) - Anorwisa anotumira nzizi yemafuremu emhando DATA, HEADERS, CONTINUATION, kana PUSH_PROMISE, asi nemubhadharo usina chinhu uye pasina mureza wekumisa kuyerera. Sevha inopedza nguva ichigadzirisa furemu yega yega, isingaenzaniswi kune bandwidth inopedzwa neanorwisa.
Source: opennet.ru