Bafuputsi ba Netflix le Google Ho na le mefokolo e robeli ts'ebetsong e fapaneng ea protocol ea HTTP/2 e ka bakang ho haneloa ha ts'ebeletso ka ho romella letoto la likopo tsa marang-rang ka tsela e itseng. Bothata bo ama li-server tse ngata tsa HTTP tse nang le ts'ehetso ea HTTP/2 ho isa tekanyong e itseng mme e fella ka hore mosebeletsi a felloe ke mohopolo kapa a thehe moroalo o mongata oa CPU. Lintlafatso tse felisang bofokoli li se li hlahisitsoe и , empa hajoale bakeng sa Apache httpd le .
Mathata a bakiloeng ke mathata a hlahisitsoeng ho protocol ea HTTP/2 e amanang le ts'ebeliso ea libopeho tsa binary, mokhoa oa ho fokotsa phallo ea data ka har'a likhokahano, mokhoa oa ho etelletsa pele phallo, le boteng ba melaetsa ea taolo ea ICMP e sebetsang khokahanong ea HTTP/2. boemo (mohlala, ping, reset, le litlhophiso tsa phallo). Lits'ebetso tse ngata ha lia ka tsa fokotsa phallo ea melaetsa ea taolo hantle, ha lia ka tsa laola ka nepo letoto la lintho tse tlang pele ha li etsa likopo, kapa tsa sebelisa lits'ebetso tse tlase tsa li-algorithms tsa taolo ea phallo.
Boholo ba mekhoa ea tlhaselo e khethiloeng e theohela ho romela likōpo tse itseng ho seva, e leng se lebisang molokong oa palo e kholo ea likarabo. Haeba moreki a sa bale data ho tsoa ho sokete mme a sa koale khokahano, mokoloko oa karabo lehlakoreng la seva o lula o tlala. Boitšoaro bona bo baka mojaro tsamaisong ea tsamaiso ea queue bakeng sa ho sebetsana le likhokahano tsa marang-rang 'me, ho itšetlehile ka likarolo tsa ts'ebetsong, ho lebisa mokhathala oa mohopolo o teng kapa lisebelisoa tsa CPU.
Bofokoli bo bonts'itsoeng:
- CVE-2019-9511 (Data Dribble) - mohlaseli o kopa palo e kholo ea data hore e be likhoele tse ngata ka ho laola boholo ba fensetere e thellang le pele ho khoele, ho qobella seva hore se behe data ka har'a li-block tsa 1-byte;
- CVE-2019-9512 (Ping Flood) - mohlaseli o tsoela pele ho chefo melaetsa ea ping holim'a khokahanyo ea HTTP / 2, e leng se bakang mokoloko o ka hare oa likarabo tse rometsoeng ho phalla ka lehlakoreng le leng;
- CVE-2019-9513 (Resource Loop) - mohlaseli o theha likhoele tse ngata tsa kopo mme a lula a fetola tse tlang pele ho likhoele, a etsa hore sefate sa pele se ferekane;
- CVE-2019-9514 (Reset Moroallo) - mohlaseli o theha likhoele tse ngata
mme e romela kopo e fosahetseng ka khoele e 'ngoe le e 'ngoe, e etsang hore seva e romele liforeimi tsa RST_STREAM, empa ha e li amohele ho tlatsa mokoloko oa likarabo; - CVE-2019-9515 (Litlhophiso tsa Moroallo) - mohlaseli o romela letoto la liforeimi tse se nang letho tsa "SETTINGS", e le karabelo eo seva e tlamehang ho amohela ho amohela kopo ka 'ngoe;
- CVE-2019-9516 (0-Length Headers Leak) - mohlaseli o romela letoto la lihlooho tse nang le lebitso le se nang thuso, 'me seva se fana ka buffer mohopolong ho boloka hlooho e' ngoe le e 'ngoe mme ha e e lokolle ho fihlela seboka se fela. ;
- CVE-2019-9517 (Internal Data Buffering) - mohlaseli oa bula
Fensetere e thellang ea HTTP/2 bakeng sa seva ho romella data ntle le lithibelo, empa e boloka fensetere ea TCP e koetsoe, e thibela data hore e se ke ea ngoloa ho socket. Ka mor'a moo, mohlaseli o romela likōpo tse hlokang karabelo e kholo; - CVE-2019-9518 (Empty Frames Flood) - Motho ea hlaselang o romela mefuta e mengata ea liforeimi tsa mofuta oa DATA, HEADERS, CONTINUATION, kapa PUSH_PROMISE, empa e na le moputso o se nang letho 'me ho se folakha ea ho emisa ho phalla. Seva e qeta nako e sebetsana le foreimi e 'ngoe le e' ngoe, e sa lumellane le bandwidth e sebelisoang ke mohlaseli.
Source: opennet.ru