GitLab yakayambira vashandisi nezvekuwedzera kwezviitwa zvakashata zvine chekuita nekushandiswa kwenjodzi CVE-2021-22205, izvo zvinovatendera kuti vatore kodhi yavo kure kure vasina humbowo pane server inoshandisa GitLab yekudyidzana budiriro chikuva.
Nyaya yavepo muGitLab kubvira shanduro 11.9 uye yakagadziriswa muna Kubvumbi muGitLab yakaburitsa 13.10.3, 13.9.6, uye 13.8.8. Nekudaro, tichitarisa nekuongorora kwaGumiguru 31 kweinetiweki yepasi rose yezviitiko makumi matanhatu ezviuru zvinowanikwa pachena zveGitLab, makumi mashanu muzana emasisitimu anoenderera nekushandisa echinyakare mavhezheni eGitLab ayo anogona kukuvara. Iwo anodiwa anogadziridzwa akaiswa pane chete 60% yemaseva akaedzwa, uye pa50% yemasisitimu zvaisaita kuona nhamba yeshanduro iri kushandiswa.
Mafungiro asina hanya eGitLab server administrators kuisa zvigadziriso akatungamira kune chokwadi chekuti kusazvibata kwakatanga kushandiswa nevapambi, vakatanga kuisa malware pamaseva uye vachiabatanidza nebasa rebhotnet rinotora chikamu mukurwiswa kweDDoS. Pamusoro payo, huwandu hwetraffic panguva yekurwiswa kweDDoS yakagadzirwa nebhotnet yakavakirwa panjodzi yeGitLab maseva yakasvika 1 terabits pasekondi.
Kusagadzikana kunokonzerwa nekusagadziriswa kwemafaira emifananidzo akadhawunirodha nemunhu wekunze anoenderana neExifTool raibhurari. Kusagadzikana muExifTool (CVE-2021-22204) kwakabvumira mirairo yekupokana kuti iitwe musystem kana uchibvisa metadata kubva kumafaira ari muDjVu fomati: (metadata (Copyright "\ " . qx{echo test >/tmp/test} . \ "b"))
Zvakare, sezvo iyo chaiyo fomati yakatemerwa muExifTool neMIME yemhando yemukati, uye kwete iyo faira rekuwedzera, anorwisa anogona kudhawunirodha DjVu gwaro nekushandisa pasi pechiratidziro chenguva dzose JPG kana TIFF mufananidzo (GitLab inodaidza ExifTool yemafaira ese ane. jpg, jpeg extensions uye tiff yekuchenesa zvisingakoshi tags). Muenzaniso wekushandisa. Mukugadzika kwekugadzika kweGitLab CE, kurwiswa kunogona kuitwa nekutumira zvikumbiro zviviri zvisingade kuvimbiswa.
Vashandisi veGitLab vanorayirwa kuti vaone kuti vari kushandisa vhezheni yazvino uye, kana vari kushandisa kuburitswa kwechinyakare, kuti vangoisa zvigadziriso, uye kana nekuda kwechimwe chikonzero izvi zvisingaite, kusarudza kuisa chigamba chinovharira njodzi. Vashandisi vemasisitimu asina kudhindwa vanorayirwawo kuti vaone kuti hurongwa hwavo haukanganisike nekuongorora matanda uye nekutarisa anofungira maakaundi ekurwisa (semuenzaniso, dexbcx, dexbcx818, dexbcxh, dexbcxi uye dexbcxa99).
Source: opennet.ru