Abaphandi abavela kwiNetflix nakuGoogle Kukho ubuthathaka obusibhozo ekuphunyezweni okuhlukeneyo kwe-HTTP/2 protocol enokubangela ukukhanyelwa kwenkonzo ngokuthumela umlambo wezicelo zenethiwekhi ngendlela ethile. Ingxaki ichaphazela amaseva amaninzi e-HTTP ngenkxaso ye-HTTP/2 ukuya kwinqanaba elithile kwaye iphumela ekubeni umsebenzi aphelelwe yimemori okanye enze umthwalo omkhulu we-CPU. Uhlaziyo olususa ubuthathaka sele lubonisiwe ΠΈ , kodwa okwangoku yeApache httpd kunye .
Iingxaki ezibangelwa kwiingxaki ezingeniswa kwi-HTTP/2 yeprotocol ehambelana nokusetyenziswa kwezakhiwo zokubini, inkqubo yokunciphisa ukuhamba kwedatha ngaphakathi koqhagamshelwano, indlela yokubeka phambili phambili, kunye nobukho bemiyalezo yokulawula efana ne-ICMP esebenza kwi-HTTP/2 uxhumano. inqanaba (umzekelo, i-ping, seta ngokutsha, kunye noseto lokuqukuqela). Ukuphunyezwa okuninzi akuzange kuthintele ngokufanelekileyo ukuhamba kwemiyalezo yokulawula, akuzange kulawule ngokufanelekileyo umgca ophambili xa kusenziwa izicelo, okanye kusetyenziswe ukuphunyezwa kwe-algorithms yokulawula ukuhamba.
Uninzi lweendlela zokuhlaselwa ezichongiweyo zehla ekuthumeleni izicelo ezithile kumncedisi, ezikhokelela ekuveliseni inani elikhulu leempendulo. Ukuba umxhasi akafundi idata kwisokethi kwaye akaluvali uxhulumaniso, umgca we-buffering yempendulo kwicala lomncedisi uyazalisa ngokuqhubekayo. Oku kuziphatha kudala umthwalo kwindlela yokulawula umgca wokucubungula uxhulumaniso lwenethiwekhi kwaye, kuxhomekeke kwiimpawu zokuphunyezwa, kukhokelela ekuphelelweni kwememori ekhoyo okanye izixhobo ze-CPU.
Ubuthathaka obuchongiweyo:
- I-CVE-2019-9511 (i-Data Dribble) - umhlaseli ucela inani elikhulu ledatha kwimicu emininzi ngokuphatha ubungakanani befestile ye-sliding kunye nokubaluleka kwentambo, ukunyanzela umncedisi ukuba afake idatha kwiibhloko ze-1-byte;
- I-CVE-2019-9512 (i-Ping Flood) - umhlaseli ngokuqhubekayo utyhefa imiyalezo ye-ping phezu koxhumo lwe-HTTP/2, obangela umgca wangaphakathi weempendulo ezithunyelwe kumkhukula kwelinye icala;
- I-CVE-2019-9513 (i-Resource Loop) - umhlaseli udala imicu yesicelo emininzi kwaye ngokuqhubekayo utshintshe ukubaluleka kwemicu, ebangela ukuba umthi ophambili udibanise;
- I-CVE-2019-9514 (Setha kwakhona uMkhukula) - umhlaseli wenza imisonto emininzi
kwaye ithumela isicelo esingasebenziyo ngomsonto ngamnye, ibangela ukuba umncedisi athumele iRST_STREAM izakhelo, kodwa akazamkeli ukuba zigcwalise umgca wempendulo; - I-CVE-2019-9515 (IiSetingi zeMkhukula) - umhlaseli uthumela umlambo we-"SETTINGS" ezingenanto, ekuphenduleni apho umncedisi kufuneka avume ukufumana isicelo ngasinye;
- I-CVE-2019-9516 (i-0-Length Headers Leak) - umhlaseli uthumela umlambo weentloko ezinegama elingenanto kunye nexabiso elingenanto, kwaye umncedisi wabela i-buffer kwimemori ukugcina intloko nganye kwaye akayikukhulula de iseshoni iphele. ;
- CVE-2019-9517 (Internal Data Buffering) - umhlaseli uvula
I-HTTP/2 yefestile yokutyibilika ukuze umncedisi athumele idatha ngaphandle kwezithintelo, kodwa igcina iwindow ye-TCP ivaliwe, ukuthintela idatha ukuba ibhalwe ngokwenene kwi-socket. Emva koko, umhlaseli uthumela izicelo ezifuna impendulo enkulu; - I-CVE-2019-9518 (Izakhelo Ezingenanto zezakhelo) -Umhlaseli uthumela uthotho lwezakhelo zodidi lwe-DATA, HEADERS, CONTINUATION, okanye PUSH_PROMISE, kodwa ngomthwalo ongenanto kwaye akukho flegi yokuphelisa impompo. Umncedisi uchitha ixesha ekuqhubeni isakhelo ngasinye, ngokungafaniyo ne-bandwidth edliwe ngumhlaseli.
umthombo: opennet.ru